orchestrate

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly reads user-generated Slack thread replies/reactions for Andon (references/andon.md and SKILL.md) and pastes upstream handoff bodies verbatim into downstream prompts (references/handoffs.md), both of which are untrusted third-party/human content that the agent interprets and that can pause spawning or change subsequent tool-driven actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The orchestrate scripts and spawned cloud agents clone and run the planner's repo at runtime (plan.repoUrl / remote.origin.url — e.g. https://github.com/example-org/example-repo), so external git URLs are fetched during runs and that code is executed by agents, creating a high-risk runtime dependency.