watt

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's required CMS integration workflow (see SKILL.md "CMS Integration Setup" and references/cms-integration.md) instructs creating a content-worker that accepts webhooks from third-party CMSs (Contentful/Sanity/Strapi) and also fetches entries from Contentful (lib/contentful.ts using client.getEntries), i.e., it ingests untrusted, user-generated content and acts on it (mapping content types and calling internal revalidation endpoints), which could allow indirect injection to influence runtime actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill contains explicit runtime commands that fetch and execute remote code—e.g., "curl -L https://fly.io/install.sh | sh" for installing flyctl—and it also shows watt.json entries and CLI steps that will clone and run remote git repositories such as "https://github.com/your-org/user-service.git" via wattpm resolve, meaning external content is fetched at runtime and can execute code, so these URLs are a runtime risk.