multitask

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The orchestrator explicitly clones the remote git repo (git clone in orchestrator.add()) and then loads and executes recipe files from the cloned repo (amplifier-bundle/recipes/) via run_recipe_by_name / CLISubprocessAdapter which spawn claude -p sessions using rendered recipe prompts, so arbitrary third‑party repository content can directly influence agent prompts and subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The orchestrator clones and runs code from the configured git remote (repo_url obtained via git remote get-url origin, e.g. https://github.com/test/repo or any remote like https://.../repo.git) at runtime and then imports/executes the cloned repository's amplihack code and uses its amplifier-bundle/recipes YAML to drive agent prompts (via run_recipe_by_name and CLI agent steps), so remote repo content directly controls prompts and executes code.