sitegpt-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The playbook and command docs explicitly instruct the agent to fetch and inspect arbitrary public websites (e.g., playbooks/create-chatbot-from-website.md shows using curl/raw HTML and to run sitegpt knowledge website add / sitegpt knowledge sitemap add), meaning untrusted third‑party web content is ingested and explicitly used to drive configuration and subsequent actions, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The playbook and CLI workflow fetch and ingest arbitrary site content at runtime (e.g., curl -sL "$SITE_URL" and "$SITE_URL/manifest.json") which is then used to build the chatbot's knowledge, personas, and instructions, so external content fetched from the SITE_URL directly controls agent prompts.