jeo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads and acts on user-generated, third-party content—e.g., plannotator feedback (/tmp/plannotator_feedback.txt and the blocking plannotator-plan-loop.sh) and agentation annotations fetched from http://localhost:4747/pending (see scripts/claude-agentation-submit-hook.py and the VERIFY_UI/agentation watch loop)—and uses annotation.comment / feedback to drive code changes and phase transitions, so external/untrusted inputs can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's installer will auto-run a remote install script for a required runtime component (plannotator) via "curl -fsSL https://plannotator.ai/install.sh | bash", which fetches and executes remote code and is mandatory for the PLAN gate, so this is a runtime external dependency that executes code.