sync-template

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). These point to content hosted on GitHub: raw.githubusercontent.com can serve arbitrary files from any repo, and github.com/Rheinmir/setup.git is an unvetted third‑party repository — downloading/executing scripts from an unknown GitHub user/repo (especially via curl/gh as described) is potentially dangerous.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The skill fetches arbitrary free-form Markdown files from an outsider-authored public GitHub repository at runtime via curl/gh api (e.g., Step 2 branch audit + Step 4/6 BASE="https://raw.githubusercontent.com/.../$branch" and curl -sfL <url> -o <local_path>), and those fetched file contents are then processed/installed (Step 7), making them readable text that can be fed into the agent’s LLM context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches remote skill files at runtime (using gh API calls like "gh api repos///branches" and curl against raw content such as "https://raw.githubusercontent.com////...") from the template repo (e.g., https://github.com/Rheinmir/setup.git), then installs those files as native Claude skills — meaning remote content can directly control agent prompts/behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (low risk: 0.30). The skill instructs the agent to modify filesystem and repo state (deleting/moving project files, committing/pushing, and writing global user-level files under ~/.claude/) which changes the machine state, but it does not request sudo, alter system-wide config, or create user accounts, so it's a moderate-risk non-privileged change.