push-by-techulus

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill instructs the agent to call Membrane against the Push by Techulus app (e.g., via membrane connection ensure / connection get and membrane request) and explicitly to consume clientAction.agentInstructions returned by Membrane (SKILL.md), which means untrusted third-party API responses could include instructions that the agent is expected to read and act on.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes the Membrane CLI at runtime (e.g., membrane connection ensure "https://push.techulus.com/") and the Membrane connection responses can include clientAction.agentInstructions which are delivered at runtime and can directly control the agent's instructions, so https://push.techulus.com/ is a risky runtime dependency.