agentflow-plugins

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly resolves and ingests plugin packages from Git repositories (see the consumer declaration in references/plugin-workflows.md and the SKILL.md steps like "agentflow plugin resolve --graph"), and agents are expected to read plugin manifests, tool --help, and packaged workflow/context files which are user-controlled and can change tool behavior, so untrusted third‑party content can influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly resolves plugins from Git sources (e.g., git@github.com:acme/agentflow-plugin.git), and those fetched plugin packages can both inject plugin-owned text into agent context (plugin_file) which controls prompts and contain executables (tools/*) that are run in the node sandbox, so remote repo content is fetched at runtime and can directly control prompts or execute code.