lev-intake

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt contains a contradictory, forceful directive to "IMMEDIATELY" load and execute ~/lev/workshop/intake.md (driving Phases 2–3) which goes beyond the skill's claimed "Phase 1 routing ONLY" scope and effectively allows arbitrary external instructions to override intended behavior — a hidden/deceptive control flow risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's Phase 1 "Content Acquisition" flow explicitly clones GitHub repos, scrapes articles, and fetches transcripts from YouTube and other public platforms into ~/lev/workshop/intake/, and its Phase 2/3 instructions then require immediately executing (cat ~/lev/workshop/intake.md) and "FOLLOW" the loaded analysis framework, meaning untrusted, user-generated third‑party content can be ingested and directly drive agent decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs git clone on repository URLs (e.g., https://github.com/*/*) at runtime and then immediately loads and follows ~/lev/workshop/intake.md from the fetched repo, meaning remote repository content can directly control agent instructions and subsequent execution.