plugin-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The workflow fetches the current plugin specification and PR contents (e.g., curl to a public GitHub raw URL and gh api ... .raw_url for PR file bodies), which are outsider-authored free text that can be ingested into the agent’s LLM context for evaluation/reporting.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches live spec and plugin files at runtime (e.g., curl https://raw.githubusercontent.com/base/skills/master/skills/base-mcp/references/plugin-spec.md and the GH API call that yields raw Github raw_url for plugin .md files), and that fetched content directly controls the agent's evaluation instructions/prompts, so this is a required runtime external dependency that influences agent behavior.