omo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly invokes a "librarian" agent that performs web searches and GitHub cloning to fetch external docs and OSS examples (see references/librarian.md and the README), so untrusted public web content is ingested and passed into the orchestration flow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The Librarian agent explicitly instructs runtime cloning/reading of GitHub permalinks and injecting that external code as evidence (e.g. https://github.com/tanstack/query/blob/abc123def/packages/react-query/src/useQuery.ts#L42-L50), so external content is fetched at runtime and can directly influence agent prompts/outputs.