multi-workspace

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly clones and reads arbitrary repositories listed in multi.json (see references/configuration.md and references/commands.md — e.g., multi init/multi sync clone/symlink steps), and concatenates per-repo .cursor/rules/*.mdc into generated CLAUDE.md/AGENTS.md (SKILL.md and references/commands.md), which is untrusted, user-generated third-party content that the tool ingests and can materially alter behavior (merged VS Code configs, tasks, and generated agent directives).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Yes — the skill performs runtime git operations (e.g., cloning URLs like https://github.com/org/backend or git@github.com:org/shared-lib.git) and then concatenates fetched .cursor/rules/*.mdc files into CLAUDE.md/AGENTS.md, so remote repository content fetched at runtime directly controls agent prompts.