agentation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests user-generated annotations from the MCP server (e.g., GET /pending, GET /sessions/:id/pending and the agentation_watch_annotations tool) and platform hooks that curl http://localhost:4747/pending (see SKILL.md Section 4 and the UserPromptSubmit / AfterAgent hook examples), and injects that untrusted annotation text into agent prompts and automated watch-loops where it directly drives agent actions like grep/edit/resolve, allowing indirect prompt-injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs users to run npx agentation-mcp (e.g., npx agentation-mcp server), which at runtime fetches and executes remote package code from the npm registry (see https://www.npmjs.com/package/agentation-mcp), making it a required runtime remote code dependency.