skf-brief-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The workflow explicitly fetches and ingests content from arbitrary external sources (e.g., GitHub via gh api in steps like steps-c/step-02-analyze-target.md — "gh api repos/{owner}/{repo}/git/trees/HEAD?recursive=1" and "gh api .../contents/{file}", docs-only HEAD checks via curl in steps-c/step-01-gather-intent.md, and registry/doc fetches used by steps-c/step-03-scope-definition.md and the extractPublicApiScript/ccc semantic search), and that untrusted content is parsed and used to decide scope, versioning, and next actions — so third-party content can materially influence tool use and agent behavior, creating an indirect prompt-injection risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The workflow fetches user-provided documentation URLs at runtime (e.g., https://docs.stripe.com/api) as required input for "docs-only" briefs and injects that fetched content into the brief-generation/model context, so those external pages can directly control prompts and the produced instructions.