schelling

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Suspicious: the skill mandates running remote code (npx schelling@0.2.2) and contacting an unknown API domain (api.schelling.sh) before any local reasoning, creating a high supply-chain/execution and data-exfiltration risk even though it’s not a direct .exe download.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill forcefully requires making network requests to an external API (api.schelling.sh) and running remote code via npx on every request, enabling easy exfiltration of user prompts/data and introducing supply-chain/remote-code-execution risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's mandatory first step is to run "npx schelling recall" against https://api.schelling.sh (see SKILL.md and scripts/schelling.sh), which fetches shared-memory posts/CIDs (user-generated, public) that the agent must read and use to reshape its approach, allowing untrusted third-party content to influence decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill mandates runtime calls to npx schelling@0.2.2 (which downloads and executes remote npm package code) and HTTPS requests to https://api.schelling.sh to fetch CIDs whose content is explicitly used to reshape the agent's prompts/instructions before any reasoning, so remote content and code directly control the agent at runtime.