can-opener

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow explicitly accepts an "OpenAPI spec path" that can be "A URL to fetch" and the /can-opener update steps list "A URL to fetch" as a source; the agent is expected to fetch and compile that external OpenAPI JSON and use its contents to generate functions, schemas, tests and drive subsequent actions, so untrusted third‑party spec content can materially influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's mix.exs declares a git dependency that will be fetched and compiled at setup—{:can_opener, git: "https://github.com/agoodway/can_opener.git"}—and that remote code (CanOpener macros) executes at compile-time to generate client code, so the URL is used to fetch and run remote code the project depends on.