upgrade

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The runtime upgrade flow performs git fetch origin and git reset --hard origin/main in the marketplace repo, then copies the fetched plugin files (including CHANGELOG.md) into the cache and reads $NEW_CACHE_DIR/CHANGELOG.md to generate the “What’s new” bullets—so outsider-authored free text from the public/third-party marketplace repo can be ingested into the agent’s LLM context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runs "git fetch origin" and "git reset --hard origin/main" in the marketplace repo at ~/.claude/plugins/marketplaces/nowork-studio and then reads the fetched CHANGELOG.md to generate the "What's New" summary, so the git remote 'origin' (the repository URL configured for that marketplace directory) is fetched at runtime and directly supplies content used to control the agent's prompts.