audit-skill-by-derailment

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly supports a "Remote skill" flow that uses gh api repos/{owner}/{repo}/contents/... to fetch SKILL.md and reference files from arbitrary GitHub repositories (public, user-generated) and the workflow and launch scripts then instruct a subagent to read and act on those files, so third‑party content is both fetched and interpreted as part of the agent's workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's "Get the skill" remote workflow fetches live skill files at runtime (e.g., via the GH CLI command that calls the GitHub API: gh api repos/{owner}/{repo}/contents/SKILL.md --jq '.content' | base64 -d > /tmp/skill-test/SKILL.md, i.e. https://api.github.com/repos/{owner}/{repo}/contents/SKILL.md), and those fetched SKILL.md/reference files directly control the subagent's instructions — a high-confidence runtime external dependency.