setup

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The setup workflow explicitly clones and symlinks public GitHub repositories (e.g., spm1001/claude-suite, todoist-gtd, claude-mem in "Phase 2: Clone and Symlink" and "Phase 4: Offer Tool Repos"), which are untrusted, user-controlled third‑party sources whose code/content the agent will install and execute, allowing external content to influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The setup clones and symlinks a remote GitHub repository at runtime (gh repo clone spm1001/claude-suite, with optional gh repo clone spm1001/todoist-gtd and gh repo clone spm1001/claude-mem), and those fetched repos provide the skill code that directly controls agent prompts and can execute code on install/run.