preqstation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests task payloads from the PREQSTATION API (PREQSTATION_API_URL) — via required calls such as preq_get_task called in SKILL.md and implemented in scripts/preqstation-mcp-server.mjs and scripts/preqstation-api.sh — and the instructions require reading task fields (including latest_preq_result and deploy_strategy) which are user-provided/untrusted and directly determine lifecycle actions, git/deploy behavior, and tool use, so third-party content can materially influence the agent.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill makes runtime requests to the PREQSTATION API (PREQSTATION_API_URL, e.g. https://your-preqstation-domain.vercel.app) via curl/fetch (scripts/preqstation-api.sh and scripts/preqstation-mcp-server.mjs) and uses the returned task payloads (task objective, planMarkdown, latest_preq_result) to directly control the agent's instructions and execution flow, which the skill requires to operate.