mise

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs fetching and installing tools from public, user-controlled sources—e.g., UBI/github releases (ubi:owner/repo and direct release URLs), cargo from GitHub (cargo:https://github.com/...), npm/crates.io, the http backend, and even a curl https://mise.run | sh install—so it will ingest untrusted third-party content (public repos/releases/registries) as part of its workflow and those remote artifacts can change tool behavior or execution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's installation and prerequisite commands explicitly fetch and execute remote scripts (curl https://mise.run | sh and curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh), which run remote code at runtime and are presented as required setup steps.