ai-todo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md states the agent connects to the external ai-todo service (https://ai-todo.stringzhao.life) and "commands are dynamically loaded from the server" and instructs the agent to run commands that read task data (e.g., ai-todo tasks:tree, tasks:list) — i.e., it fetches and interprets user-generated task content from a third-party server which directly influences what actions and updates the agent performs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly states "Commands are dynamically loaded from the server" and the ai-todo CLI connects to https://ai-todo.stringzhao.life, so runtime-fetched content from that URL determines available commands and thereby directly controls agent behavior.