build-docs

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill downloads and ingests public, user-authored content (via scripts/github.sh which clones GitHub repos and scripts/url.sh which fetches arbitrary URLs referenced in vault/configs/*.json) and Phase 4 explicitly has subagents "Download docs" and "Filter files" / "Generate SKILL.md", so untrusted third‑party text is read and used to generate skill definitions and artifacts that can materially change agent behavior, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The runtime scripts perform git fetches from "https://github.com/$repo.git" and curl downloads of arbitrary URLs (e.g., "https://example.com/doc.md"), and those fetched markdown files are used to generate SKILL.md skill definitions that can directly control agent prompts/instructions, so external content can influence and execute agent behavior.