kasetto

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow explicitly fetches and ingests remote, user-controlled content (e.g., references/api-reference.md documents that kst sync --config accepts HTTPS URLs, references/core-patterns.md and getting-started.md showing skills[].source and mcps[].source can be GitHub/HTTPS repos), and those fetched skill/MCP configs are parsed and merged into agent setups—so third-party content can directly influence tool behavior and installed agent capabilities.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Kasetto explicitly fetches remote configs and repositories at runtime (e.g., kst sync --config https://example.com/team-skills.yaml and skill/MCP sources like https://github.com/org/skill-pack or https://github.com/org/mcp-pack), and those fetched repos/MCPs are installed/merged into agent formats and can directly control agent prompts or delivered code, so they are runtime external dependencies that control instructions.