workleap-skill-safety-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required "Resolve the skill source" workflow explicitly tells the evaluator to fetch SKILL.md and all supporting files from public registries (https://skills.sh/{owner}/{repo}/{skill-name} and the underlying GitHub repo https://github.com/{owner}/{repo}), and Phase 3 also requires looking up the skill on vett.sh — all are open, user-authored third-party sources the agent must read and act on, allowing untrusted content to influence decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The SKILL explicitly instructs fetching the skill source (SKILL.md and supporting files) from the remote repository (e.g., https://github.com/{owner}/{repo} or https://skills.sh/{owner}/{repo}/{skill-name}) at runtime, meaning externally fetched content will directly control the agent's prompts/instructions.