autonomous-orchestrator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Work discovery" step explicitly instructs the orchestrator to scan GitHub open issues, PR reviews, and notifications (public, user-generated content) and to read/act on those findings to discover and dispatch tasks, which exposes the agent to untrusted third-party content that can influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires running compose-agentsmd at runtime which pulls the rules source "github:metyatech/agent-rules@HEAD" (https://github.com/metyatech/agent-rules) to regenerate AGENTS.md, and those externally fetched rules directly control agent instructions/behavior, making this a required runtime dependency that can alter prompts.