dev-context-engineering

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to "Use web search/web fetch to verify current external facts" and the "Web Verification", "Pre-Hydration" and MCP/Toolshed examples show loading content from external URLs, tickets, and MCP tools (public web pages and linked resources) into agent sessions—clear evidence the agent ingests untrusted third‑party content which can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The CI workflow (.github/workflows/template-sync.yml) clones a remote repository at runtime using "git clone --depth 1 https://github.com/org/template-repo /tmp/template", and then copies .claude/rules/* from it into repos — fetched content that directly controls agent prompts/instructions (mandatory rule files) and is relied on for enforcement.