omg

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's VERIFY_UI flow (SKILL.md § STEP 3.1 / VERIFY_UI) and accompanying hook script (scripts/claude-agentation-submit-hook.py) explicitly fetch http://localhost:4747/pending to ingest user-submitted agentation annotations (untrusted, user-generated content) and then ack→navigate→apply fixes based on those annotations, so external annotation content can directly influence tool actions and execution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill auto-installs and invokes plannotator as a mandatory PLAN gate, and the installer contains a curl-then-bash call (curl -fsSL https://plannotator.ai/install.sh | bash) that would fetch and execute remote code at runtime and thus can directly affect agent prompts/approval flow.