mise

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports fetching and executing remote, public content (e.g., "Remote Tasks" examples with file = "https://example.com/build.sh" and git::https://github.com/..., the [task_config] includes remote git:: URLs, and HTTP/GitHub tool backends), so untrusted third-party files/URLs can be ingested and influence task execution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly supports fetching and running remote task files and git repositories at runtime (e.g., file = "https://example.com/build.sh", git::https://github.com/org/repo.git//scripts/release.sh?ref=v1.0.0", and includes like "git::https://github.com/org/tasks?ref=v1"), which would download external content that can be executed as tasks and therefore directly control execution/prompt behavior.