autonomous-agent-harness

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflows and cron examples explicitly instruct the agent to fetch and read external, user-generated content—e.g., "Check for new PRs on watched repos," "review all open PRs," "review my GitHub notifications," and the computer-use MCP's browser automation (navigate/click/fill forms)—meaning it ingests public third‑party pages/PRs and acts on them, which could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime MCP configuration invokes npx to fetch and execute remote MCP server packages (e.g., npx -y @anthropic/memory-mcp-server — https://www.npmjs.com/package/@anthropic/memory-mcp-server, plus @anthropic/scheduled-tasks-mcp-server and @anthropic/computer-use-mcp-server), which pulls and executes remote code that the skill depends on.