plan-cro

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The workflow explicitly requires "If the user provides a URL, use web_fetch tool to fetch the content of the URL and analyze the current issues," which means the agent will retrieve and interpret arbitrary public web content (untrusted/user-generated) as part of its planning decisions, enabling indirect prompt injection risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs using the web_fetch tool to fetch a user-provided URL at runtime and inject that page content into the agent's analysis/context (i.e., "user-provided URL (fetched via web_fetch)"), which can directly control prompts and model outputs.