skill-installer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's scripts (scripts/list-skills.py and scripts/install-skill-from-github.py) explicitly fetch content from GitHub (via the GitHub API and codeload/git clone of arbitrary owner/repo or user-provided URLs) and install those public or user-supplied repo files into $CODEX_HOME/skills, meaning untrusted third-party content is ingested and can materially alter the agent's behavior by adding new skills.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installer scripts fetch repository contents at runtime from GitHub (e.g. https://codeload.github.com/{owner}/{repo}/zip/{ref} and https://api.github.com/repos/{repo}/contents/{path}?ref={ref}), and those fetched SKILL.md and repo files can directly control agent prompts or include code that the skill system will install and run, so this is a required external dependency that can control agent behavior.