sharingan

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's scanner (scripts/scan-repo.js) explicitly fetches public GitHub content via gh api (fetchRepoTree / fetchFileContent) and the SKILL.md/other repo files are then read and fed into the LLM-based Phase 2 analyzer and format-mapping/generation pipeline, meaning untrusted, user-generated third-party content from arbitrary public repos can influence subsequent tool use and generation decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The scan-repo.js script invokes the GitHub CLI to fetch repository files from GitHub at runtime (e.g., https://github.com/anthropics/skills via gh api repos/{owner}/{repo}/contents/...) and the retrieved SKILL.md / references are then used as inputs to LLM-based analysis/generation, meaning external repo content can directly control the prompts used by the agent.