ruler-progress-render

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly clones/updates a public GitHub repository (REPO_URL default https://github.com/sxhzju/ruler-progress-animator.git) and then reads and executes repository files (package.json, shared/project/render-presets/default.json, projectConfig.js) via npm/node/npx, so untrusted third-party content is ingested and can materially influence tool execution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches and clones the remote repository https://github.com/sxhzju/ruler-progress-animator.git at runtime and then runs npm install and project Node scripts from that repository, which causes execution of remotely fetched code.