localai

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs fetching models and gallery metadata from public third-party sources (e.g., wget from huggingface.co and the GALLERIES setting pointing to a GitHub index.yaml), which causes the agent/LocalAI instance to ingest untrusted, user-contributed content that can change model behavior and thus influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes installation/startup commands that fetch and execute remote binaries/images (notably the curl download/execution of the LocalAI release at https://github.com/mudler/LocalAI/releases/latest/download/local-ai-$(uname -s)-$(uname -m) and the docker image localai/localai:latest-cpu), which are external runtime dependencies that execute remote code and are required to run the skill.