aibtc-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly ingests public, user-generated content as part of its required workflows — e.g., the sensors and workflows list shows aibtc-inbox (syncing AIBTC inbox messages), github-issue-monitor/github-mentions (reading GitHub issues/mentions), arxiv-research (fetching arXiv papers), and scout/agent-scouting (reading other agents' public GitHub repos), and that content is used to queue tasks, compose replies, open PRs, and drive actions, so it can materially influence tool use and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The documentation explicitly says the agent "scouts other agents' GitHub repos" at runtime and that daemon/loop.md (from the loop-starter-kit) is "both the instruction set AND the thing the agent edits" — meaning fetching the git repo https://github.com/secret-mars/loop-starter-kit at runtime would directly supply/edit the agent's instruction/prompts.