duoduo-runtime-admin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Subconscious Refresh workflow (references/subconscious-refresh.md) explicitly clones and inspects the public upstream repository via "git clone --branch https://github.com/openduo/duoduo.git", asks the agent to diff and summarize those upstream subconscious/partition prompts, and then optionally overwrite local prompts—allowing externally fetched public content to be read, interpreted, and to materially change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly runs a runtime git clone from https://github.com/openduo/duoduo.git to fetch upstream "subconscious" partition prompts which are then copied into the kernel and thus directly control agent prompts at runtime.