jeo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's VERIFY_UI/ANNOTATE flow (STEP 3.1 in SKILL.md and scripts like scripts/claude-agentation-submit-hook.py and the HTTP polling of http://localhost:4747/pending) explicitly polls and ingests user-submitted annotations from the agentation server and then "acknowledge → navigate code → apply fix → resolve", so untrusted/user-generated annotation content is read and acted on as part of the automated workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's installer runs a remote shell script via curl -fsSL https://plannotator.ai/install.sh | bash (in scripts/install.sh), which executes fetched code at install/runtime and plannotator is a required dependency for the mandatory PLAN step, creating a high-risk remote-execution dependency.