skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's setup wizard explicitly supports "Import skill" from a URL (e.g., GitHub gist) and pasted content (see "/skill setup" Quick Actions → Option 4: Import skill), which causes the agent to download and read untrusted public third‑party content that can become local skills and thus materially influence automated behavior (see "Automatic Application"), enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's "Import skill" flow downloads arbitrary user-provided URLs at runtime (e.g., https://gist.github.com or raw GitHub URLs) and saves fetched markdown as local skills whose frontmatter/triggers can directly control agent prompts and behavior.