docx

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). https://astral.sh/uv/install.sh is a direct shell-install script (a .sh) served from an external domain and the prompt suggests piping it to sh, which is a high‑risk pattern unless the domain and script are verified and trusted.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly reads arbitrary .docx files supplied by users (scripts/docx-read / packages/docx/main.py → docx_to_markdown) and the SKILL.md "AI 使用约定" says the extracted Markdown is for the AI to continue processing, so untrusted/user-provided document content can be ingested and materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime scripts invoke uv sync and uv run, and the repository's uv config/lock point to package URLs on the mirror (e.g. https://mirrors.aliyun.com/pypi/simple/ and specific wheel URLs like https://mirrors.aliyun.com/pypi/packages/.../markdown_it_py-4.0.0-py3-none-any.whl) which are fetched at runtime to obtain Python packages that will be executed locally, so external content can supply executable code used by the skill.