quality-workflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's AGENTS.md requires running compose-agentsmd before responding (a mandatory workflow step) and agent-ruleset.json points the rules source to "github:metyatech/agent-rules@HEAD", which means the agent will fetch and must read externally hosted public GitHub rule files that can change runtime behavior—exposing it to untrusted third-party content that could inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's session gate requires running compose-agentsmd which (per agent-ruleset.json "source": "github:metyatech/agent-rules@HEAD", i.e. https://github.com/metyatech/agent-rules) can fetch remote rules that regenerate AGENTS.md and therefore directly control agent prompts at runtime.