skill-store

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly clones arbitrary Git repositories provided via scripts/registry.py (add) and scripts/sync.py into REPOS_DIR, then scripts/index.py parses untrusted SKILL.md frontmatter from those repos and scripts/install.py may run repository-provided tool.js or main.py code during install/update, meaning external, user-controlled repo content is ingested and can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runtime clones arbitrary Git repositories (e.g., the example URL "https://github.com/user/repo" and other git URLs like git@github.com:org/repo.git) and then copies, installs dependencies, and may execute fetched code (node tool.js or python main.py) from those repos, so remote content can directly execute code and control agent behavior.