localai

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md "Gallery Models" section explicitly shows fetching and applying models/configs from public sources (e.g., curl with "huggingface://TheBloke/..." and "github:go-skynet/..."), meaning untrusted third-party model files or YAML configs are downloaded and loaded into the agent and can change its behavior and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill shows a runtime call to curl http://localhost:8080/models/apply with "url": "github:go-skynet/model-gallery/gpt4all-j.yaml", which causes LocalAI to fetch a remote GitHub YAML model definition that can contain template/prompt instructions and thus directly control agent prompts at runtime.