audit

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt explicitly instructs the agent to "send 4 Task tool calls" during MAP phase while elsewhere forbidding opening Tasks (Task is listed as not allowed), a conflicting/deceptive instruction that attempts to change agent behavior outside the skill's stated constraints.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Map Phase and agent capability docs explicitly permit and instruct agents to fetch and read arbitrary web pages (see "網頁抓取策略" / "Agent 能力限制" in shared/coordination/map-phase.md and related WebFetch/Chrome steps), so untrusted third‑party content can be ingested and influence agent analysis and actions.