subconscious-dev

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly exposes the agent to untrusted public content via platform tools (e.g., "web_search", "page_reader", "tweet_search") and function tools that call arbitrary HTTP endpoints (see SKILL.md Tools section, references/tools-guide.md, and the examples), and those tool results are injected into the agent's context and used to drive multi‑hop reasoning and subsequent tool calls—allowing third‑party content to materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Subconscious explicitly calls user-provided tool endpoints at runtime (e.g., "https://your-server.com/search" / "https://your-ngrok-url.ngrok.io") and injects their JSON responses into the agent's reasoning/context, so those runtime URLs can directly control prompts/agent behavior.