bears-workflows

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill programmatically calls external LLM endpoints (OpenRouter/OpenAI) — see SOCM_LLM / LLMOptimizer and ViscosityLLMSingleObjectiveOptimizer in scripts/optimizers.py and the optimization docs (references/optimization.md, references/viscosity-optimization.md) — and parses those model responses as JSON to produce next-volume/parameter suggestions that are then used to generate and execute Opentrons protocols, so untrusted third-party model outputs can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The optimizers call the OpenRouter API at runtime (https://openrouter.ai/api/v1) via the OpenAI client to obtain LLM-generated JSON suggestions (volumes/parameters) that are parsed and used to generate/execute protocols, so this external endpoint directly controls agent instructions and is a required dependency (OPENROUTER_API_KEY).