qa

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly navigates and ingests arbitrary web content (e.g., user-supplied target URLs via the $B browse commands like "$B goto ", uses WebSearch for research, and syncs remote artifacts/PRs via git/brain sync), and it reads and acts on that content as part of its QA/fix workflow, so untrusted third-party pages could inject instructions that influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runs a runtime install that downloads and executes a remote shell script via curl -fsSL "https://bun.sh/install" and then runs it with bash (curl -o "$tmpfile" ... bash "$tmpfile"), which clearly fetches and executes remote code.