team

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The skill explicitly instructs the agent to silently load local persona and config files before any user interaction and to hide that activity (e.g., "silently" and "show only 'Loading personas...'"), which is a deceptive/hidden behavior outside a transparently stated user-facing purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md and references/team-config.yaml) mandates citing technical claims via web_search (p3_team_discussion allows "web_search" and README/SKILL.md say "Cite all technical claims using exa or web search"), so the agent will fetch and interpret open web content (potentially untrusted/user-generated) as part of decision-making.