project-planning

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly includes AI agent tools that fetch and ingest open web content—see references/example-outputs/ai-web-app.md where search_web calls the Brave Search API and summarize_url performs fetch(url) on arbitrary webpages—so the agent will read and act on untrusted, user-provided third‑party content, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's summarize_url tool performs a runtime fetch of arbitrary, user-supplied webpages (via fetch(url) in the AI tools code) and injects the retrieved page text directly into the model prompt (context.env.AI.run), so remote content can directly control prompts and thus is a high-risk runtime dependency.