dual-loop

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs use of public sources and tools that fetch external content—e.g., personas/README.md recommends cloning from GitHub and configuring MCP servers (context7, puppeteer, web-fetching MCPs), and multiple persona frontmatter entries (product-manager, ai-engineer, data-engineer, data-scientist, etc.) list WebSearch/WebFetch and MCP tools—so agents are expected to read and act on arbitrary third‑party web/docs content, which can materially influence agent delegation and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs fetching and loading remote code and prompts at runtime—e.g., "git clone https://github.com/lst97/claude-code-sub-agents.git" (to install subagent markdown that become system prompts) and runtime npx commands in the MCP config (e.g., "@modelcontextprotocol/server-sequential-thinking", "@upstash/context7-mcp", "@21st-dev/magic@latest", "@playwright/mcp@latest") which will download and execute external packages locally, so external content can directly control agent behavior or run code.