catalog-porter

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly accepts a user-provided GitHub repo URL and performs a git clone and file reads (Phase 1: "git clone --depth 1 " and "read the SKILL.md" / find SKILL.md), so arbitrary public GitHub content would be ingested and can materially influence classification and porting actions, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill explicitly runs git clone --depth 1 /tmp/ at runtime to fetch a user-supplied GitHub repo and then reads/copies upstream SKILL.md files (agent skill bodies) into the catalog, meaning a fetched Git URL (git:// or https://github.com/...) can directly supply prompt/instruction content that controls agents.