audit-skill-by-derailment

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Remote skill" workflow explicitly shows gh api commands that fetch SKILL.md and arbitrary reference files from a user-provided GitHub repo, and the subagent prompt (Step 3 / scripts/launch-derailment.sh) requires the agent to read and follow those fetched files, meaning untrusted third‑party content can directly influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's "Remote skill" workflow explicitly runs GitHub API fetches (e.g., gh api repos/{owner}/{repo}/contents/SKILL.md and the references fetch loop) at runtime to load remote SKILL.md and reference files that are then used as agent instructions, so externally fetched content directly controls prompts and is a required dependency.