makepad-deployment

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's CI/workflow and tooling explicitly fetch and process public, user-provided content — e.g., actions/checkout and Project-Robius-China/makepad-packaging-action in the GitHub Actions workflows and multiple cargo install --git lines that pull from GitHub — so the agent running these steps will read/interpret arbitrary repository files and release bodies from untrusted third-party sources.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The GitHub Actions workflow in this skill uses the external action Project-Robius-China/makepad-packaging-action (https://github.com/Project-Robius-China/makepad-packaging-action), which the runner fetches and executes at workflow runtime and is relied on as a required dependency for packaging.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt includes explicit privileged system commands (e.g., "sudo apt-get update" and "sudo apt-get install ...") that require elevated privileges and modify the machine's system state, so it should be flagged as a potential compromise risk.