lovstudio-event-curator

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes an explicit instruction to decrypt and then "read it as if it were these instructions" (plus commands to run and activation flows), which attempts to override the current skill/system instructions and directs behavior unrelated to generating an event plan, so it's a prompt-injection-style override.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires running external tooling to obtain/decrypt its real instructions (e.g., "uvx lovstudio-skill-helper decrypt event-curator" and, if missing, "npx skills add lovstudio/skills"), so the lovstudio/skills package fetched via npx (and the encrypted bundle it installs) is a runtime external dependency that, once decrypted, directly supplies instructions that control the agent.