try

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill fetches and decodes arbitrary SKILL.md files from arbitrary GitHub repos and then "treats and executes" their instructions in-session (without writing to disk), which is a high-risk remote code/instruction-injection and supply-chain vector that could be used to exfiltrate data, execute arbitrary commands, or steal credentials depending on the fetched skill's content, even though the loader itself contains no explicit payload.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill fetches SKILL.md files directly from arbitrary GitHub repositories (see Step 2: "GitHub から SKILL.md を取得する") and then "read[s] the content and follow[s] its instructions" (Step 3), meaning untrusted, user-generated remote content can directly influence the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). This skill fetches a SKILL.md at runtime using the GitHub contents API (gh api repos///contents/skills//SKILL.md → https://api.github.com/repos///contents/skills//SKILL.md), decodes it, and then loads and follows those instructions in-session, so the remote URL directly controls agent prompts and is a required dependency.