preqstation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's mandatory execution flow (SKILL.md and skills/preqstation/SKILL.md) requires calling PREQSTATION APIs such as preq_get_task, preq_get_task_comment, and preq_list_task_comments (via the remote /mcp endpoint or PREQSTATION_API_URL), which ingest user-generated task notes and comments from the PREQSTATION service and use them to decide lifecycle actions (start/plan/implement/review/block), so untrusted third‑party content can directly influence tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls the remote PREQ MCP / REST endpoints at runtime (e.g., https:///mcp and requests to $PREQSTATION_API_URL like https://mypreqstation.vercel.app/api/...), and it treats returned task notes/Ask blocks as authoritative instructions for the agent, meaning remote content directly controls prompts and is a required runtime dependency.