math-teacher

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires loading and executing remote JavaScript at runtime from https://xingyun-new.github.io/Skills-XiaoSiMen/lib/feishu-sync.js (FeishuSync), which is a mandatory dependency for quiz/challenge artifacts and therefore fetches and runs remote code in the artifact/runtime context.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly instructs the agent to execute local bash scripts and automatically write, commit, and push files (auto-publish) on the host filesystem and remote repo—actions that modify machine state and perform network-side changes without requiring user confirmation, even though it doesn't request sudo or user creation.