cliamp-terminal-music-player

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill documentation explicitly instructs installing and loading community Lua plugins from GitHub (e.g., git clone ~/.config/cliamp/plugins/...), supports playing arbitrary stream and playlist URLs and using yt-dlp/cookies, and exposes a plugin http_get API — all of which cause the program to fetch and execute or interpret untrusted, user-generated third‑party content at runtime and can materially influence behavior.