swain-helm

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (medium risk: 0.60). The prompt includes a hidden HTML comment ("swain-model-hint: haiku, effort: low") that attempts to instruct the model's response style outside the skill's stated operational purpose, which is a concealed/deceptive instruction (prompt injection).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly says the watchdog "routes Zulip messages to opencode serve" and references a "Zulip stream to use for sending prompts," meaning the skill ingests user-generated messages from a third-party messaging platform that can drive actions.