xmake-custom-plugins

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly describes fetching and executing plugins from public sources—e.g., SKILL.md section 11 instructs using xrepo add-repo https://github.com/me/my-repo.git and git clone https://github.com/me/hello-plugin ~/.xmake/plugins/hello, and section 6 lists import("net.http") and devel.git—meaning untrusted third-party code/content is ingested and run as part of normal workflow.