opensrc

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md and reference docs explicitly instruct running opensrc fetch and opensrc path against public package specs and repo hosts (npm/PyPI/crates/github/gitlab/bitbucket and full URLs) and to read/diff upstream source trees and READMEs, which causes the agent to fetch and interpret arbitrary third‑party repository content that can materially influence upgrade decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs the opensrc CLI at runtime to fetch upstream source trees and repo specs (e.g., "github:owner/repo" or "owner/repo"), and those fetched files are intended to be injected into the agent's context to drive analysis and prompts, so the git repo URL form "github:owner/repo" is a runtime external dependency that can directly control agent instructions.