branch-evaluator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly accepts the "Reference implementation plan" as a URL (SKILL.md Inputs) and in Phase 2 instructs the agent to "Parse the reference implementation plan into a checklist," so it will fetch and interpret arbitrary third-party web content which can materially influence its evaluation and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly accepts a "Reference implementation plan" as a URL and requires parsing that fetched content into the checklist that drives all evaluations, so a user-supplied HTTP(S) reference-plan URL (i.e., any user-provided reference implementation plan URL) would be fetched at runtime and directly control the agent's instructions.