autonomous-orchestrator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Work discovery" section explicitly instructs the orchestrator to scan GitHub (open issues, PRs, notifications, dependabot alerts) and repositories — i.e., ingesting untrusted, user-generated web content that the agent reads and uses to discover tasks and drive spawning/decisions, which could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). High-confidence: the skill requires running compose-agentsmd at runtime which regenerates AGENTS.md from the remote rules source github:metyatech/agent-rules@HEAD (https://github.com/metyatech/agent-rules) — directly controlling agent instructions — and also mandates running npx -y @metyatech/ai-quota at runtime (fetching/executing remote npm code) to gate agent spawning, so both are runtime external dependencies that can control prompts or execute code.