obsidian-plan-wiki

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's playbook explicitly instructs agents to call arbitrary remote MCP servers (see playbook/05-common-tools/05-20-mcp-less/SKILL.md with HTTP/SSE example URLs and a "Practical workflow for agents"), which means the agent may fetch and act on untrusted third-party responses that can change tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill contains runtime commands that call external MCP endpoints (e.g., https://your-mcp-server.example.com/mcp) via bunx/inspector to list and invoke tools — these endpoints are invoked at runtime and can provide tool instructions or execute remote actions that directly affect agent behavior.