pp-myfitnesspal

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly scrapes and ingests content from myfitnesspal.com (e.g., diary get-day, exercise, food search, note which return scraped HTML or public food DB results) and provides an agent-facing context/analytics pipeline that the agent is expected to read and use for decisions, so untrusted/user-submitted third‑party content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs installing and running remote Go modules at runtime (e.g. go install github.com/mvanhorn/printing-press-library/library/other/myfitnesspal/cmd/myfitnesspal-pp-cli@latest and go install github.com/mvanhorn/printing-press-library/library/other/myfitnesspal/cmd/myfitnesspal-pp-mcp@latest), which fetches and executes remote code and are required dependencies for the skill.