lovstudio-xbti-creator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's mandatory workflow instructs the agent to clone and read/modify a public GitHub repository (git clone https://github.com/lovstudio/XBTI.git and later read/update cases/registry.js and cases/index.json) and to interact with public services (e.g., Zenmux) as part of execution, which means it ingests open/public third-party content that can influence tool actions (PR creation, file edits) and thus could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs git clone https://github.com/lovstudio/XBTI.git and auto-installs/executes the lovstudio image-creator via "npx skills add lovstudio/skills" (https://github.com/lovstudio/skills), which are fetched at runtime and provide remote code (e.g., gen_image.py) that the skill then executes and depends on—so these URLs supply required executable content at runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt directs the agent to automatically modify the host environment (run npx installs, pip install with --break-system-packages, clone/remove files, run package-manager installs and git operations) and explicitly uses a pip flag that bypasses package protection, which encourages the agent to change the machine state and bypass security protections.