excalidraw

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md "Update check (notify, don't pull)" workflow (step 0) explicitly runs git ls-remote against the upstream origin and can git pull the remote repository (e.g., a public GitHub repo) with user approval, so the agent fetches and may ingest untrusted, user-maintained upstream code/tags that can materially change its behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill instructs global npm installation and an explicit sed "macOS patch" that edits files in the global npm package directory and also describes updating the skill directory (writing a .last_update file and optionally running git pull), which can mutate system- or environment-owned files (often requiring sudo), so it encourages actions that can change machine state even though it doesn't explicitly ask for sudo or creating users.