sdd-slim-plan

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's requirement-archive and specify workflows (see specify.md and prompts/requirement-archive-prompt.md) explicitly require the main agent to fetch and ingest linked external documents via MCP/tools (including arbitrary URLs and wiki links like wiki.17u.cn/toca.17u.cn) and then read and base planning/spec decisions on that content, which exposes the agent to untrusted third-party content that could carry indirect prompt injections.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly requires fetching external documents at runtime (e.g., wiki.17u.cn and toca.17u.cn via mcp__hotel-tools__matrix-wiki-get) and injecting that fetched content into the requirement archive/spec flow, which directly controls subsequent agent prompts and planning.