cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The CLI explicitly supports installing skills from GitHub URLs and arbitrary HTTPS/ZIP URLs via "lh skill install" (references/skills-plugins.md), and those skills contain "content (prompt/instructions)" that agents can use, so untrusted, user-provided web content is fetched and can directly influence agent behavior and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The CLI exposes a runtime "lh skill install" that fetches skills from external URLs (e.g. GitHub repos like https://github.com/lobehub/skill-repo or ZIP URLs like https://example.com/skill.zip), and those fetched skill files are skill content (prompts/instructions) that will be injected/used by agents at runtime, so remote content can directly control agent prompts.