update-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Phase 2 research steps explicitly instruct the agent to fetch and quote live content from public third-party sources (mcp__surf__surf_github_get and surf_github_search for GitHub, WebFetch for upstream docs, and mcp__kb__kb_search across projects), and those external findings are required inputs that drive proposed edits, version bumps, and commits—so untrusted web content could materially influence agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Phase 2 explicitly requires runtime fetching and quoting of live upstream URLs (e.g., GitHub release/PR URLs such as https://github.com/ and raw content at https://raw.githubusercontent.com/) and other docs via WebFetch, meaning external content is fetched at runtime and injected into the agent's prompts/instructions.