xget

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's scripts (scripts/xget.mjs) explicitly fetch and parse live public content—e.g., DEFAULT_SOURCE_URL (https://raw.gitcode.com/.../platform-catalog.js) and DEFAULT_README_URL (https://raw.githubusercontent.com/.../README.md)—and SKILL.md requires using those live README/platform sections to drive URL conversions and execution, so untrusted public README/platform content can directly influence tool decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime script (scripts/xget.mjs) fetches external content—notably https://raw.gitcode.com/xixu-me/xget/raw/main/src/config/platform-catalog.js and https://raw.githubusercontent.com/xixu-me/xget/main/README.md—which is parsed at runtime to drive platform mappings and to extract README "Use Cases" snippets that the agent uses to generate or execute configuration/commands, so the fetched content can directly control agent instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill defaults to executing shell commands and editing real configuration and deployment files (including self-hosting, Docker/Kubernetes, CI/CD and wiring system-level settings), which can modify the machine state and may require or prompt privileged operations even though it doesn't explicitly request sudo or user creation.