flowhunt

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests user-generated third-party content (Gmail message snippets and selected full bodies, Slack message content, calendar descriptions, task-tracker items — see audit.md Step 2 and connectors/slack.md / connectors/google-workspace.md) and requires the agent to read and analyze those texts as primary inputs to drive automation recommendations, creating a clear avenue for indirect prompt injection from untrusted messages.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs running remote install/fetch commands at runtime that execute code (e.g., "curl -LsSf https://astral.sh/uv/install.sh | sh" and npx/uvx MCP installs such as @korotovsky/slack-mcp-server), which the setup/audit branches rely on to provide connector functionality (IMAP/MCP servers), so these URLs fetch and execute remote code during runtime and pose a high risk.