bmad-eval-runner

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The runner explicitly allows artifact evals to run with network access (references/isolation.md: "full network for artifact evals that may need it") and the grader agent is required to "List and inspect artifacts" and read their contents (agents/grader.md), so outputs fetched from or containing untrusted third‑party/web content could be ingested and influence grading or subsequent tool-driven decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The Dockerfile invokes "npm install -g @anthropic-ai/claude-code" (pulling https://www.npmjs.com/package/@anthropic-ai/claude-code / the npm registry) as part of the image build that occurs on first Docker use, installing and executing remote code (the claude CLI) which the runner then relies on to run prompts—this is a runtime-fetched, required dependency that executes remote code.