skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's setup/import flow explicitly lets the agent download a skill from an arbitrary URL (e.g., "Import skill" → "URL: Download skill from a URL (e.g., GitHub gist)") and then saves/uses that markdown as a local skill which the system may automatically apply (see "Automatic Application: Codex detects triggers and applies skills automatically"), so untrusted third-party content can directly influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The setup wizard's "Import skill" option downloads skill markdown from a user-provided URL at runtime (e.g., a raw GitHub Gist / raw content URL such as https://raw.githubusercontent.com/ or a gist URL), saves it into the local skills directory, and that fetched content can directly control agent behavior by becoming a skill the agent applies automatically.