team-implement

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The workflow's Step 0.1 "Detect Input Source" explicitly ingests content from arbitrary URLs via "WebFetch" and from public GitHub issues/PRs and Jira tickets (user-generated/open-web content), and those fetched artifacts are read and used by agents to generate specs and drive implementation decisions, so untrusted third‑party content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly WebFetches user-supplied http(s) URLs at runtime (e.g., the input case "/team-implement https://example.com/feature-spec") and injects the fetched content into the input-digest that drives agent prompts and behavior, so remote content can directly control the agents.