workflow-orchestration

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The GitHub repository itself is on a reputable platform but is from an unfamiliar username and points to googleadsagent.ai — a non-official domain that appears to impersonate "Google Ads" and could host or link to untrusted downloads — so the combination is moderately suspicious and warrants caution before downloading or running anything.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly describes an MCP plugin system that supports "browser automation" and "API calls" and the implementation's executeMCP(node.config) calls callMcpTool(server, tool, ...), which lets workflows invoke arbitrary external MCP servers and ingest their outputs into node results that drive conditional routing—so the agent can consume untrusted public web or third-party content that could change subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's executeMCP implementation calls callMcpTool(server, tool, ...) at runtime, meaning a configured MCP server URL (the "server" parameter passed to callMcpTool) is contacted during execution and can run external tools / execute remote code that directly controls workflow behavior.