pet-rate-rings

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required install step (SKILL.md step 4 -> installer/install-template.sh) runs "npm install", which fetches and installs packages from the public npm registry (third‑party, user-published code) and thus allows untrusted remote package content to be executed and influence runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The bundled installer invokes npm install which will fetch package tarballs from the npm registry (e.g. https://registry.npmjs.org/electron/-/electron-41.5.0.tgz and other https://registry.npmjs.org/... URLs listed in package-lock.json) during runtime, and those fetched packages (notably electron with an install script) can execute remote code, so this is a required runtime external dependency that can run code.