skill-audit

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The GitHub repo is a third‑party source that could host scripts or releases from an unvetted author and the plain‑HTTP evil.com?token= endpoint is an obvious suspicious callback/exfiltration URL, so together they represent a high‑risk distribution/exfiltration vector.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to audit third‑party skills from public sources (e.g., "Use when you're about to install a third‑party skill from GitHub, ClawHub") and to "Read every referenced script" and "Verify all external URLs," meaning the agent will fetch and interpret untrusted, user‑generated web content that can influence install/decision actions.