task-observer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to fetch and read public docs (e.g., "If web access is available, fetch the relevant section directly..." and links to the GitHub README/USER-GUIDE), meaning the agent will ingest and act on content from open/public third‑party sources (GitHub) as part of its workflow, which could allow indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs the agent to fetch live documentation at runtime from the GitHub repo (https://github.com/rebelytics/one-skill-to-rule-them-all and its README/USER-GUIDE links) and to use those fetched sections as the “source of truth” that shapes agent instructions, so this is a runtime external dependency that can directly control prompts.