Agent Design

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow (see "Pattern 3: MCP-Enhanced Workflows" and the "sync-docs" command in SKILL.md) explicitly instructs the agent to use external MCP servers (e.g., notion-mcp, github-mcp, slack-mcp) to fetch public/user-generated content and then act on it (update files, create PRs, post summaries), which clearly ingests untrusted third-party content that can influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes an externalMCPs entry that runs "npx -y @anthropic-ai/mcp-server-filesystem /workspace", which will fetch and execute remote npm package code at runtime (effectively pulling from the npm registry), so this is a runtime external dependency that executes remote code.