cli-productivity

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md includes explicit runtime fetches of public third‑party endpoints (e.g., the "Data Processing Pipeline" curl to https://api.github.com/users/…, the myip() curl to https://ifconfig.me, weather() to wttr.in, and install scripts fetched via curl), and those responses are parsed with jq and used in pipelines — i.e., untrusted web content is ingested and can influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's installation steps explicitly run remote installer scripts via curl piping to a shell (curl -sS https://raw.githubusercontent.com/ajeetdsouza/zoxide/main/install.sh | bash and curl -sS https://starship.rs/install.sh | sh), which fetch and execute remote code during setup for required dependencies.