agency-brand-scoping

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The skill’s REQUIRED runtime workflow includes “If the user gives a URL or deck, read/fetch it first and extract palette, typography impression, imagery style, and tone words,” meaning outsider-authored public web pages or third-party deck content can be ingested as readable text into the LLM context during the INGEST step.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches a user-supplied URL or deck at runtime (e.g., the client's site URL provided to the tool) and extracts palette/typography/tone which are then injected into generated prompts/brand-system.json, so arbitrary external URLs supplied by the user are runtime dependencies that directly control prompts.