skf-create-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly clones and/or reads public GitHub repositories and arbitrary doc URLs as part of its required workflow (see steps-c/step-01-load-brief.md "Resolve Source Code Location", steps-c/step-03-extract.md and references/source-resolution-protocols.md / gh_bridge usage), and those untrusted, user-authored files (including promoted docs and bundled scripts) are parsed and used to drive compilation and actionable outputs, so third-party content can materially influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill runtime explicitly clones and fetches remote git repositories (e.g., https://github.com/facebook/react) and then uses the fetched source to construct SKILL.md and related instructions, so external repo content can directly control agent prompts/output.