open-design

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). Outsider content from the Open Design repo (a third-party GitHub source) is read as free-form Markdown prose at runtime—e.g., Phase 3 reads $OPEN_DESIGN_ROOT/<designSystem.path>/DESIGN.md, $OPEN_DESIGN_ROOT/<skill.path>/SKILL.md, and craft/<slug>.md and feeds their contents into the agent’s LLM context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly runs git clone / git pull against https://github.com/nexu-io/open-design at runtime (e.g., "git clone https://github.com/nexu-io/open-design ...", "git -C "$ROOT" pull") and then reads DESIGN.md, SKILL.md and craft/*.md from that fetched repo to compose prompts/workflows, so remote content directly controls the agent's instructions.