aif

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). skills.sh is an external, third‑party skills marketplace (not a well-known vendor CDN) that could host installable code or binaries — not an explicit executable link but it is an unverified source that requires scanning and caution before installing skills from it.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The required runtime workflow installs and then runs an automated security scan on each outsider-authored external skill from skills.sh (public/community registry) via npx skills install ... <name> followed by $PYTHON .../security-scan.py <installed-skill-path>, which necessarily reads the downloaded skill’s files (including its SKILL.md/prompt text) into the LLM context for analysis.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill fetches and runs external content at runtime — e.g., it directs users to install skills from https://skills.sh via "npx skills install" and to run npx to fetch/execute packages like @modelcontextprotocol/server-filesystem and @playwright/mcp, and its "Learn Mode" accepts arbitrary reference URLs passed to /aif-skill-generator that will be fetched and used to generate skill prompts—so remote content can both execute code and directly influence generated prompts.