install-rules

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly accepts and parses rules from an arbitrary Git repository or URL (see SKILL.md "指定的 Git 存储库" / "owner/repo" and the "解析owner/repo和子路径" steps) and reads/ingests those untrusted Markdown rule files (INDEX.md / *.md) and installs them into agent-controlled targets (.cursor/.trae), so third‑party content can materially change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill accepts and fetches user-specified Git repositories at runtime (e.g., owner/repo or git@github.com:org/repo.git / https://github.com/owner/repo) and parses rule files from them to install AI behavior constraints, so fetched external content can directly control agent prompts/instructions.