facilitating-design-critique

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The skill’s runtime workflow fetches two Bitwarden Confluence pages via the get_confluence_page MCP tool; those pages are outsider-authored content (publicly accessible wiki text authored by others) that is ingested as readable prose into the agent’s LLM context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly states the get_confluence_page MCP tool fetches the Confluence pages at https://bitwarden.atlassian.net/wiki/spaces/PROD/pages/2329542659 and https://bitwarden.atlassian.net/wiki/spaces/PROD/pages/469925913 at runtime to ground its facilitation guidance, so remote content is fetched and can directly influence the agent's instructions.