add-ollama-tool

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill allows the agent to download and run models from the public Ollama registry (see the management tools like ollama_pull_model and the use of ollama_generate in SKILL.md Phase 3/Phase 4), so it ingests untrusted third‑party model content whose outputs the agent is expected to read and act on, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's Phase 2 instructions explicitly add and fetch from the upstream Git URL (https://github.com/qwibitai/nanoclaw.git) and then merge/copy/build the fetched files (including container/agent-runner/src/ollama-mcp-stdio.ts), meaning remote code from that URL is fetched at apply-time and will be executed in the agent environment.