code-reader

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly clones arbitrary GitHub URLs (Phase 1 "If source is a URL: Clone to {output-dir}/{project-name}/") and then requires Agent A (tech-writer) and Agent B (qa-engineer) to read the module source code (see tech-writer-prompt.md and qa-engineer-prompt.md), meaning untrusted, user-provided repository content is fetched and directly read/interpreted as part of the workflow and can influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly clones and reads a GitHub repository at runtime (e.g., https://github.com/org/repo), and then feeds those fetched source files into subagent prompts (Tech Writer / QA Engineer / Junior Dev) to drive question-generation and verification output, so the remote repository content directly controls the model's instructions and is a required dependency.