xmake-debug-package-source

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill’s required workflow explicitly fetches and uses upstream package tarballs (see the default recipe flow "add_requires → fetch tarball" and the curl example downloading https://zlib.net/zlib-1.2.11.tar.gz), and then runs/inspects that third-party source via on_install/on_test, meaning untrusted public content can influence build actions and tooling.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime example explicitly downloads and extracts https://zlib.net/zlib-1.2.11.tar.gz (curl -LO ...) and then runs build/test steps (xmake scripts/test.lua / on_install) that execute code from that fetched tarball, so this is a runtime external fetch that can lead to executing remote code.