crxhub-cli

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The URL is an unspecified/unknown GitHub repository that explicitly instructs downloading and executing a pre-built binary from the repo (scripts/crx), which is a common malware distribution vector when the owner/repo is unverified or poorly populated.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches release metadata via gh release view and downloads assets from GitHub Releases (public repositories), so it consumes untrusted user-generated third-party content from GitHub that directly influences which assets are selected and installed as described in "How It Works".