seed-install

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Most URLs point to raw.githubusercontent.com content for the plow-pbc/openseed repo (documentation and code) and a seeds.plow.co feedback endpoint, but they include a direct raw install.sh (an executable script) and several malformed/placeholder paths (e.g. https://host/org/../x, https://*) — direct links to raw .sh files and ambiguous/wildcard URLs are high-risk to download-and-run without inspecting the repository and script contents first.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The skill’s runtime LLM context can ingest outsider-authored free text from the repo’s own SEED.md/## Dependencies/### Requirements tables and prose (which are fetched/cloned from external git URLs in clone mode), because the agent renders the preflight report and then reads dependency prose to infer requirements—those texts are outsider-authored and become readable prompt content for the agent.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill performs runtime git clones of user-supplied repository URLs (it runs commands like "git clone -- " and shallow-clones external SEED URLs such as "https://host/org/repo(.git)" or "git@host:org/repo.git"), and the cloned SEEDs can contain repo-supplied shell blocks under ## Dependencies/## Verification that the agent displays and then executes—so fetched remote content directly controls prompts/executes code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill is an installer that executes repo-provided shell blocks and explicitly assembles/hand-offs a prepare-script that performs interactive sudo and privileged remote sudo steps (and thus can modify system files, install packages, or create accounts), so it facilitates privileged, state-changing operations on the host even if some sudo work is delegated to an operator-run script.