clawgs

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill clearly auto-discovers and ingests user-generated session transcripts and terminal text (see SKILL.md and code paths: discover_claude_paths/discover_codex_paths, extract, and tmux-emit which capture pane replay_text), then builds prompts from that untrusted content and sends them to the model to produce "thought" updates that influence downstream behavior, so third-party content can materially affect actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's ModelClient implementation makes runtime HTTP requests to the OpenRouter API (https://openrouter.ai/api/v1/chat/completions) and uses the returned model completions directly as emitted "thought" text, meaning remote content can directly control agent outputs.