resolve-workflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests user-generated ticket content and Figma data from external sources (YouTrack / gh CLI and Figma) in steps/01-fetch-ticket.md (subagent prompt saves .claude_resolve/{ticket-id}/ticket.md and figma assets), then reads and acts on that content across create-plan (steps/04-create-plan.md), implement (steps/06-implement.md) and finalize (steps/09-finalize.md) — including updating base_branch, generating plans, launching autonomous implementer agents, and creating PRs — so untrusted third-party content can directly influence tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches external ticket content via MCP/gh (YouTrack/GitHub tickets) and Figma assets at runtime (e.g. https://www.figma.com/...node-id=...) and then injects that fetched content verbatim into subagent prompts (create-plan, implement, visual-verify, review), meaning externally hosted ticket/Figma URLs can directly control agent instructions.