use-skill

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This "use-skill" loader fetches and executes arbitrary remote skill definitions (from GitHub/skills.sh/raw URLs) and thus acts as a remote-code execution / supply‑chain loader that can easily be abused to exfiltrate data, steal credentials, or install backdoors even though the file itself contains no explicit obfuscated payloads.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill fetches SKILL.md and related files directly from untrusted public sources (e.g., raw.githubusercontent.com, GitHub repos via the GitHub API, and the skills.sh registry) and explicitly "follow[s] the skill's instructions exactly"—meaning arbitrary third-party, user-generated content is read and can control tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). This skill fetches and runs remote SKILL.md and related files at runtime (e.g. via URLs like https://raw.githubusercontent.com/{owner}/{repo}/... and the skills.sh API https://skills.sh/api/search?q={skill-name}), then "follow[s] the skill's instructions exactly", so fetched content can directly control prompts or cause remote-executed actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill fetches and executes arbitrary remote skill content and instructs the agent to "follow the skill's instructions exactly," which can enable remote instructions to run privileged commands, modify system files, or create users and therefore can compromise the host.