refero-design

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly requires querying the Refero MCP (see SKILL.md and README) — e.g., using refero_search_screens_tool / refero_get_screen_tool against https://api.refero.design/v1/mcp to fetch public screens and flows (150k+ screens from Stripe, Linear, Notion, etc.), and SKILL.md mandates calling get_screen for 5–10 results and using those findings to drive decisions, so the agent ingests and acts on untrusted third‑party content that could carry indirect prompt injections.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires a runtime connection to the Refero MCP API (https://api.refero.design/v1/mcp), and the data returned (get_screen/get_flow/get_design_guidance responses) is explicitly used to drive the agent's prompts and decisions, making this an external content dependency that directly controls agent behavior.