convex-subconscious

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly configures Subconscious agents to use platform tools that fetch public web content (e.g., web_search, page_reader, google_search) and MCP/external skill endpoints (see references/subconscious-integration.md and SKILL.md which also point to subconscious.dev/platform/skills and MCP URLs like https://mcp.notion.so/v1), and those fetched/untrusted pages/skills are read/interpreted by the agent and can influence subsequent tool calls and decisions—creating a clear avenue for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly calls the Subconscious runtime (via the SDK / API) at runtime and passes skill names that the platform fetches on-demand (see https://www.subconscious.dev/platform/skills and the example API call to https://api.subconscious.dev/v1/runs), meaning external content loaded from subconscious.dev can directly supply instructions that control agent behavior.