skflow-transform

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The transform skill explicitly reads and ingests entire markdown skill files (see "Step 1: Read and Analyze the Original Skill" / "Read the entire markdown file" in SKILL.md and the ocmdx-transform requirements) — including skills that may be installed via npx/skills (public repos) — and compresses their tables/rules/examples into ask() prompts that the agent will execute, so untrusted third‑party skill markdown can directly influence LLM judgments and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs the agent to run external npx commands that fetch and execute remote packages at runtime (e.g., "npx @ocmdx/cli compile " and "npx skills add opencmdx/ocmdx"), which causes remote code to be downloaded and executed locally, so these runtime-fetch commands are flagged as risky.