wind-find-finance-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's update-check script (scripts/check-updates.mjs) fetches repo trees from public GitHub/Gitee APIs using sourceUrl entries found in local lock files and writes [wind-skills] update notices to stderr which SKILL.md requires the agent to read and relay, meaning untrusted third‑party repo content can influence recommended install/upgrade commands.