ast-grep

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The required runtime workflow for replace --apply runs ast-grep over user-supplied target paths/files and ingests their source code as readable text into the sg process (and thus into the helper’s JSON output context), which can include outsider-authored file contents from the workspace.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's installers (install.sh / install.ps1), which the helper can invoke at runtime, download and install prebuilt executable binaries from GitHub release URLs (e.g. https://github.com/ast-grep/ast-grep/releases/download/0.42.1/ast-grep-.zip), meaning remote executable code is fetched and then run and the skill depends on that binary.