jeo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and processes user-generated UI annotations from agentation (e.g., HTTP endpoint http://localhost:4747/pending referenced in FLOW.md and scripts/claude-agentation-submit-hook.py and the VERIFY_UI watch loop), and uses annotation.elementPath and annotation.comment to drive ACK→FIND→FIX→RESOLVE actions that modify code/behavior, so untrusted third-party content can materially influence tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes a runtime installer path (ensure-plannotator.sh / install.sh) that can execute a remote installer via "curl -fsSL https://plannotator.ai/install.sh | bash" during the PLAN gate, which fetches and runs remote code on the host and thus constitutes a high-confidence runtime-executed external dependency.