wordspace

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and lists .prose workflows from a remote GitHub repository ("Workflows — Fetches available .prose workflows from GitHub" in the init step), which are public/third‑party user-generated files that the agent downloads and reads as part of its workflow picker and install process, exposing it to untrusted content that could contain indirect prompt injections.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches reusable “.prose” workflows from GitHub at runtime (e.g., raw.githubusercontent.com or github.com repository URLs) and those fetched workflow files are described as executable/reusable programs that would be downloaded and executed/injected into the CLI/agent flow, so remote GitHub content can directly control prompts/execution.