subagents-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The references (references/opencode-agents.md, "Loading additional files via config") explicitly state that OpenCode will fetch remote URLs (e.g. https://raw.githubusercontent.com/...) with a timeout and concatenate them into AGENTS.md instructions, so arbitrary public URLs (untrusted, user-provided content) are ingested into the agent context and can change its behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The OpenCode reference explicitly says remote URLs in the "instructions" array are fetched at runtime (example: https://raw.githubusercontent.com/my-org/shared/main/style.md), and those fetched files are concatenated into AGENTS.md (i.e., injected into the agent prompt/context), so a remote URL can directly control prompts.