backlog-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads and acts on user-generated content from third-party backends—e.g., assets/github-backend.yml's "gh issue view {id} --json title,body,labels,assignees", assets/linear-backend.yml returning issue descriptions/comments via MCP, and beads commands like "bd list" / "bd ready"—and the SKILL.md workflow requires loading and following those backend-specific contents, so untrusted issue/post text could influence the agent's decisions and tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime install commands that fetch and execute remote shell scripts (curl -fsSL https://raw.githubusercontent.com/steveyegge/beads/main/install.sh | bash and curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/beads_viewer/main/install.sh | bash), which would run remote code and are listed as required installs for the beads / beads_viewer tools.