researcher

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clones and processes arbitrary public git repositories provided via the repo_url (see run_research_graph in scripts/research_entry.py and clone_repo/repomix_compress_shard in scripts/research.py) and feeds the generated repo tree/content into an LLM architect node (workflows/repo_analyzer.toml) to produce shard plans and drive subsequent analysis, meaning untrusted third‑party repo content (e.g., GitHub/public repos) can materially influence tool actions and thus enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill clones whatever Git repository URL is supplied at runtime (e.g., https://github.com/owner/repo via the GitClone node / clone_repo) and injects the resulting repo tree/content into the LLM "Architect" node as context, so external repo content directly controls prompts/agent behavior and is a required runtime dependency.