skill-installer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests SKILL.md content from untrusted public sources—e.g., GitHub raw URLs via curl (raw.githubusercontent.com) and arbitrary third-party URLs via WebFetch as described in "第一阶段：解析来源"—and then reads/interprets that content to decide/install skills (including downloading other files), so third‑party content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installer explicitly fetches SKILL.md at runtime from URLs such as https://raw.githubusercontent.com/... (and queries https://api.github.com/...) and then writes/activates that fetched content as a skill, so the remotely retrieved file can directly control agent prompts/behavior.