building-detection-rules-with-sigma

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The set contains the official Mimikatz GitHub repo—an established, dual-use credential-dumping tool that distributes source and binaries and is frequently abused by attackers (high risk), while the MITRE ATT&CK reference and SigmaHQ repo are reputable, low-risk resources; overall this mix is moderately high risk because of the Mimikatz link.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow and prerequisites explicitly require cloning and reading community Sigma rules from the public Sigma GitHub repo (SKILL.md "Prerequisites: Sigma rule repository cloned: git clone https://github.com/SigmaHQ/sigma.git" and Step 4/os.walk of sigma/rules/windows/), so the agent ingests untrusted, user-generated rule YAMLs which are parsed and converted and therefore can materially influence conversions, deployments, and subsequent actions.