multitask

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The orchestrator clones arbitrary remote git repositories (git clone in orchestrator.add / run()) and then loads and executes recipe files and TASK.md from the cloned branch (see reference.md and orchestrator.py), running agent steps via the CLISubprocessAdapter which invokes "claude -p" with prompts derived from those repo files—meaning untrusted third‑party repo content is read and can directly drive agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The orchestrator clones and uses the configured git remote (subprocess.run(["git", "clone", ..., self.repo_url, ..."]) where repo_url is obtained via git remote get-url origin — e.g. a URL like https://github.com/your-org/your-repo.git) at runtime and then executes recipe files from the cloned amplifier-bundle/recipes/ (rendering their prompts and spawning agent steps via claude -p and bash steps), so remote repository content directly controls agent prompts and can execute code.