omg

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly polls and ingests user-generated annotations from the Agentation MCP HTTP endpoint (e.g., GET http://localhost:4747/pending and related agentation watch/resolve flow described in SKILL.md and scripts/claude-agentation-submit-hook.py) and also reads plannotator feedback files (e.g., /tmp/plannotator_feedback.txt / .omc/state/.plannotator_feedback) and then programmatically applies fixes based on those annotations, so untrusted third‑party/user content can directly influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's install script explicitly runs remote code at runtime via "curl -fsSL https://plannotator.ai/install.sh | bash", and plannotator is a mandatory PLAN-step dependency that directly controls the approval/gate behavior—meeting the criteria for a high-confidence runtime-executed external dependency.