em

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The workflow explicitly runs web searches and fetches external URLs as part of Agent B in workflows/plan.md Step 3.5 ("Run WebSearch... Fetch 2 relevant URLs (engineering blogs, reference implementations)") and incorporates those findings into PRIOR_RESEARCH used to drive planning and actions, so the agent ingests untrusted public web content that can materially influence subsequent decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill launches Agent B at runtime which performs WebSearch("{project type} architecture patterns") and "Fetch 2 relevant URLs" (external engineering blog/reference implementations) and injects those fetched contents into PRIOR_RESEARCH that the agents use to drive planning decisions, so arbitrary remote URLs fetched at runtime can directly control agent prompts and context.