company-creator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's "from-repo" workflow and Step 3 explicitly instruct the agent to clone/read user-supplied git repositories and to reference external GitHub files (see "From a Repo", references/from-repo-guide.md and the "External Skill References" / metadata sources pattern in SKILL.md), and it also tells the agent to read the public spec URL, so it will ingest and act on untrusted, user-provided web/repo content that can influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs the agent at runtime to read the normative spec from https://agentcompanies.io/specification and to clone/read user-provided git repos (e.g., via git ls-remote https://github.com/owner/repo HEAD), so content fetched from those URLs would directly influence/generated agent prompts and package generation.