pp-steam-web

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill directly queries the public Steam Web API (see SKILL.md commands like profile, friends, news, achievements and the generic api ) and instructs the agent to consume and parse the CLI's JSON .results via --agent for runtime behavior, meaning untrusted/user-generated Steam profile/news/friend data is ingested and can influence the agent's outputs or next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires fetching and installing remote code at runtime (e.g., via "npx -y @mvanhorn/printing-press install steam-web --cli-only" and "go install github.com/mvanhorn/printing-press-library/library/media-and-entertainment/steam-web/cmd/steam-web-pp-cli@latest"), which downloads and installs/executess external binaries that the skill relies on to produce agent output, so these URLs are runtime dependencies that can execute remote code.