autoplan

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.70). The prompt includes deceptive/out-of-scope instructions: it promises telemetry will not include repo names or file paths yet explicitly logs the repo name and has artifact-sync/remote-telemetry flows (and automatic file/commit mutations) that can exfiltrate project data — behavior not essential to "auto review" and inconsistent with the stated privacy claim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly runs Codex exec calls in multiple mandatory phases with the flag "--enable web_search_cached" (see the Codex Bash prompts in Phase 1/2/3/3.5) which performs web searches and ingests public third‑party content that the agent reads and uses to form decisions; it also offers to open a public URL (https://garryslist.org) as part of the preamble flow.