skill-security

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The required runtime workflow ingests the target skill’s own SKILL.md and flagged source files by reading them as UTF-8 text (scripts/scan.py → az.read_text(fp) and then az.scan_frontmatter(...) / az.scan_patterns(...) / az.scan_python_ast(...)), which are outsider-authored free text when the skill comes from an untrusted third party (e.g., a downloaded marketplace skill or repo); this text is then placed into the agent’s LLM context via the produced findings/report.