seed-audit

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). This is a direct raw.githubusercontent.com link to an install.sh script in a third-party GitHub repo of unclear trustworthiness — while raw.githubusercontent.com is a legitimate CDN, downloading and running remote shell scripts from an unvetted repository is a common malware distribution vector and therefore suspicious.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). Outsider free text can enter the LLM context because the skill’s runtime step 2 runs the four checks by scanning the audited repo’s working tree (including markdown prose/docstrings/comments and extracted fenced shell blocks), and those repo-authored texts are then available to the agent/LLM to interpret while deciding the booleans—i.e., attacker-authored content from the target repo (outsider) is ingested as readable text.