overview

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill instructs clients to discover and consume public Nostr relay events (e.g., wss://relay.contextvm.org and replaceable events like kinds 11316/11317/11320 described in SKILL.md and references/ceps.md) — untrusted, user-generated content (server announcements, tools lists, prompts) that the agent must read and which can directly affect tool selection and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly uses Nostr relays as runtime transport (e.g., wss://relay.contextvm.org) and describes replaceable events/kinds (notably kind 11320 "Prompts list") that are delivered via those relay URLs at runtime and can inject prompt content into the client, so the relay URL is a runtime dependency that can directly control agent prompts.