btca-local

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow and guidelines explicitly instruct the agent to clone and load user-supplied GitHub repositories (and to update or clone repos into ~/.btca/agent/sandbox) and then search and interpret their contents to answer questions, which exposes the agent to untrusted, user-generated third-party code and text that could carry indirect prompt-injection instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill clones and loads user-supplied git repository URLs at runtime (e.g., https://github.com/org/repo.git or git@github.com:org/repo.git) and injects their contents into the agent's search/context to generate answers, so fetched remote content can directly control prompts.