web-presence-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly clones and reads GitHub-hosted repositories listed in references/site-registry.md (see the Session Setup / Step 4 git clone in references/monthly-review-checklist.md and the Phase 2/3 delegation templates), and those untrusted, user-managed repo files are parsed and used to drive analysis and automated edits/pushes, so arbitrary repo content could indirectly inject instructions that affect agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill performs runtime git clones (e.g., git@github.com:dangeles/dangeles.github.io.git) and then injects repository contents into sub-agent prompts and may run repo build commands (e.g., bundle exec jekyll), so remote repository URLs fetched at runtime can directly influence prompts and execute code.