belt

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs fetching and running third‑party skills/apps from public sources (e.g., "belt skill use github.com/user/repo" and public app/skill registries), which are user‑generated/untrusted and are used as reusable workflows that the agent will read and execute, allowing external content to influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The install instruction runs "curl -fsSL cli.inference.sh | sh", which fetches and immediately executes remote shell code (cli.inference.sh) as part of installing the required belt CLI, meaning remote content is executed at runtime.