criar-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill package explicitly instructs the agent to fetch and ingest public web content (e.g., prompt-instalacao.md and install.sh direct the agent to git clone or curl raw.githubusercontent.com URLs, the GitHub-backup flow uses gh to view/create repos, and multiple templates/workflows (examples and wizard.html) describe "Acessa o site", "link do youtube", "Busca transcricao" and extracting data from arbitrary URLs), so the agent will read untrusted, user-generated third‑party pages whose contents could influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The README and prompt-instalacao explicitly instruct running remote install code (e.g., curl -fsSL https://raw.githubusercontent.com/okjpg/skill-creator/main/install.sh | bash and git clone https://github.com/okjpg/skill-creator), which the agent is asked to execute at runtime to fetch and run scripts that install and control the skill—meeting the criteria for a runtime remote-code dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (low risk: 0.30). The skill explicitly instructs the agent to create directories and files under the user's home (~/.claude/skills/, ~/.claude/.env, drafts), run CLI commands (gh, op, claude) and modify project files (SKILL.md, evals.json, commits/pushes), so it does modify machine state and handle credentials, but it does not request sudo, alter system-level files, or create user accounts.