skill-selector

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to "read the underlying SKILL.md" (via apm view / upstream clone or GitHub README) when a catalog row's platform differs and also delegates Phase 2 to skill-finder for cross-source searches (including GitHub/topic sources), so it will fetch and interpret public third‑party repository content that can change install/decision behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs reading/updating APM and using apm view / apm install to fetch upstream skill repositories (e.g., https://github.com/mizchi/skills and install strings like mizchi/skills/playwright-test), and those remote SKILL.md repositories are fetched at runtime and contain agent-facing instructions that directly control behavior.