dev-swarm-nodejs

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs downloading and running third-party installer scripts (e.g., curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash and the nvm-windows release URL), which are public, untrusted sources whose content could contain instructions that materially change behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill runs remote installers at runtime—specifically it pipes https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh into bash and directs users to download/execute https://github.com/coreybutler/nvm-windows/releases/download/1.2.2/nvm-setup.exe—which fetches and executes remote code as a required installation step.