context-store

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md and command scripts (e.g., doc-read, doc-search, doc-pull and the DocumentClient in commands/lib/client.py) explicitly instruct the agent to fetch and read documents from a configurable Context Store server (via DOC_SYNC_HOST/DOC_SYNC_SCHEME and HTTP calls), meaning the agent will ingest arbitrary user-uploaded or externally-hosted document content (examples even show DOC_SYNC_HOST=example.com) that can contain untrusted instructions and materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill performs runtime HTTP requests to the Context Store (e.g. http://localhost:8766/documents/<document_id>) via doc-read/doc-pull/doc-search and the README explicitly instructs agents to retrieve document content, meaning fetched remote documents can be injected into the agent context and thus directly control prompts or behavior.