jeo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required VERIFY_UI workflow (STEP 3.1) explicitly polls and processes annotations from the agentation HTTP API (e.g., GET http://localhost:4747/pending and PATCH /annotations/:id) and uses annotation.comment/elementPath to navigate and apply code fixes, which means untrusted/user-generated annotations served by that endpoint can be ingested and directly drive agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's installer may run a remote install script that is fetched-and-executed at install/runtime: install.sh contains "curl -fsSL https://plannotator.ai/install.sh | bash", and plannotator is a required, mandatory PLAN-gate dependency—so this URL is used to fetch/execute remote code that the skill relies on.