omu

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md and scripts explicitly require running the plannotator plan gate (scripts/plannotator-plan-loop.sh and the Codex/Gemini/OpenCode hooks) which invokes the third‑party plannotator CLI (and may install it from plannotator.ai) and then reads its JSON feedback (plannotator_feedback.txt) to decide approved=true and progress to EXECUTE, so untrusted/user-provided review content can directly control agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's install.sh will at runtime run a remote installer via "curl -fsSL https://plannotator.ai/install.sh | bash" to install the required plannotator dependency (used by the PLAN gate), which fetches and executes remote code and thus can directly control agent behavior.