design-shotgun

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The skill embeds numerous out-of-scope control instructions (update checks, telemetry writes, artifact sync, creating/committing CLAUDE.md routing, vendoring migration, auto-decisions in spawned sessions and PLAN MODE EXCEPTIONS) and even tells the agent to "treat the skill file as executable" (overriding plan-mode/system constraints), which are not part of a visual-design "design-shotgun" tool and effectively try to change agent behavior and mutate the environment beyond the skill's stated purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's preamble and Artifacts Sync steps explicitly run git fetch/merge and gstack-brain-sync (see the "ARTIFACTS_SYNC" / "_BRAIN_NEW_URL" and "git fetch origin" / "gstack-brain-sync --once" sections) and then reads project artifacts like DESIGN.md and approved.json into the workflow, meaning remote/user-provided repository content (potentially untrusted) is pulled and read and can influence generation and subsequent tool use.