create-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to WebSearch/WebFetch and fetch public documentation and raw GitHub URLs (see Phase 3 "Research" which uses WebSearch/WebFetch to fetch arbitrary sources and Phase 0 which fetches raw.githubusercontent.com, plus scripts/ensure_spec_repo.sh which git clones a public GitHub repo), so it ingests untrusted third‑party web content that the agent must read and act on as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The bootstrap script (scripts/ensure_spec_repo.sh) is run at runtime (Phase 1) and performs git clone of https://github.com/anthropics/skills.git into ~/.agent-skills-spec, and that cloned spec repo is then read by multiple phases to determine prompts/instructions and spec compliance—so this external repo fetch directly controls agent behavior and is a required dependency.