skill-autoinstaller

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The discover.js cloneRepo() step clearly clones arbitrary GitHub repositories and the code reads/parses SKILL.md and metadata/install entries (discover.js / evaluate.js), which are untrusted, user-generated third‑party contents that the agent interprets and uses to drive evaluation and installation decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The auto-installer explicitly runs installation steps (apt-get, brew, npm -g, pip, running install scripts/binaries) and a pipeline that can execute arbitrary install scripts and system package managers which can modify system files or require sudo, so it pushes the agent to change the machine state despite audit checks.