x-zuz

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's installation guide (data/install.md) explicitly directs downloading and executing code from public sites (https://get.x-cmd.com and https://github.com/x-cmd/release), meaning the agent may fetch and act on untrusted third‑party content as part of setup, which could materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's install workflow explicitly includes executing remote code at runtime via "curl -fsSL https://get.x-cmd.com | sh" (and downloading core binaries from https://github.com/x-cmd/release), which directly fetches and runs remote code and is a required dependency for the skill if x-cmd is not already installed.