researcher

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly clones and ingests arbitrary git repositories provided via the repo_url (see run_research_graph / scripts/research.py clone_repo and the workflows/repo_analyzer.toml GitClone/TreeScanner nodes) and then feeds the extracted repo_tree/repomix outputs into LLM tasks (Architect/DeepAnalyze), so untrusted, user-generated repository content can directly influence planning and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches a user-supplied git repository URL at runtime (repo_url, e.g. https://github.com/owner/repo or git@github.com:org/repo.git) and injects repository-derived content (repo_tree / repomix outputs) into LLM prompts and the analysis workflow, so remote repo content can directly control agent instructions.