rover

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow explicitly instructs fetching and introspecting schemas from arbitrary HTTP endpoints (e.g., "rover subgraph introspect http://localhost:4001/graphql" in SKILL.md and schema.subgraph_url entries in references/supergraphs.md and references/subgraphs.md), and those untrusted third-party schemas are consumed to compose/run supergraphs and affect router/agent behavior (including MCP agent integration), which could allow indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The guide includes installation commands that fetch and execute remote scripts (curl -sSL https://rover.apollo.dev/nix/latest | sh and iwr 'https://rover.apollo.dev/win/latest' | iex, plus the versioned variants https://rover.apollo.dev/nix/v0.26.0 and https://rover.apollo.dev/win/v0.26.0), which run remote code during setup and are required to install the Rover CLI that the skill relies on.