kata-plan-phase

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's phase researcher instructions (references/phase-researcher-instructions.md and the tool_strategy/source_hierarchy sections) explicitly direct the agent to use WebFetch and WebSearch (and Context7/WebSearch results) to fetch and verify external web pages and community sources, and those research outputs are inlined and consumed by the planner (downstream_consumer), so untrusted third‑party content can materially influence planning and subsequent agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs runtime fetching of external documentation via Context7/WebFetch (e.g., https://github.com/org/repo/releases) to produce RESEARCH.md that is inlined into planner Task prompts, so external URLs fetched at runtime can directly control agent instructions.