duoduo-admin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's upgrade/playbook explicitly instructs the agent to "fetch the target tag's subconscious/ directory from the public repo" (openduo/duoduo) and merge those prompt/partition files into the local kernel (references/upgrade-playbook.md → "How to refresh"), which pulls public repository content that directly modifies agent prompts and can therefore alter behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs fetching the subconscious/ tree from the public repo openduo/duoduo (e.g. https://github.com/openduo/duoduo) at runtime to overwrite prompt files that directly control agent behavior, and it also requires running npm installs (npm install -g @openduo/duoduo) which download and install remote native packages (e.g. @anthropic-ai/claude-agent-sdk-*), so remote content is fetched at runtime and can directly control prompts or execute code.