onboarding-kickoff

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly scrapes and ingests open/public third‑party content—e.g., Google Maps and business websites via scripts/gmaps_lead_pipeline.py (and the Apify scraping invoked in scripts/onboarding_post_kickoff.py)—and then uses that untrusted content (and outputs it to Claude and the campaign creation flow) to drive enrichment and automated actions, which could allow indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill reads Google Sheet URLs at runtime (e.g., https://docs.google.com/spreadsheets/d/...) and uses the sheet contents (company names/rows) as inputs that are injected into Claude prompts (casualize_company_names_batch and related flows), so external sheet content can directly control the agent's prompts.