meridian

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The GitHub URL points to an unvetted third‑party repo that the skill instructs you to clone and run npm scripts from (which can execute arbitrary code), while the localhost URL is just a local dev endpoint — together this is a moderate-to-high risk if you run the code without inspecting it.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly requires cloning a public GitHub repository (git clone https://github.com/zephyrwang6/VaultPilot.git) and instructs the agent to read files from that fetched code (e.g., cat "05 工具箱/obsidian-dashboard/.../OverviewPanel.tsx"), so it ingests and acts on untrusted third-party content that can influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs cloning and installing code from https://github.com/zephyrwang6/VaultPilot.git and then running the project (npm install / npm run dev), which fetches remote code that will be executed as a required dependency, so this URL is a runtime external dependency that can execute remote code.