lint-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's installer (scripts/install_linter.py) runs external install commands (npm/pip/brew) and explicitly executes a curl to https://raw.githubusercontent.com/.../install.sh (curl ... | sh), meaning it fetches and executes untrusted public third-party content during normal workflow which can materially change tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The install_linter.py contains a runtime install command that fetches and pipes a remote script to the shell (curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin), which executes remote code during skill runtime to install golangci-lint.