omo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly routes tasks to the "librarian" agent (see references/librarian.md and the README examples) which performs web searches, clones GitHub repos, and returns permalinks / external docs—i.e., it fetches and ingests untrusted public third‑party content that will be read and used to drive subsequent agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's librarian agent explicitly instructs cloning external GitHub repositories at runtime (e.g., "gh repo clone owner/repo" and using permalinks such as https://github.com/tanstack/query/blob/abc123def/packages/react-query/src/useQuery.ts#L42-L50) to fetch code that is then incorporated as evidence/context for model outputs, so external content can directly control prompts.