mycelium

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's hooks (e.g., SessionStart via ~/.claude/hooks/mycelium-arrive.sh and PostToolUse via mycelium-context.py) explicitly load git notes from refs/notes/mycelium (which travel with fetch/push) as "project constraints", "warnings", and "additionalContext", so arbitrary user-generated notes from remote contributors could be read and materially influence the agent's decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The README instructs running a remote install script (curl -fsSL https://raw.githubusercontent.com/openprose/mycelium/main/install.sh | bash) and lists the GitHub repo https://github.com/openprose/mycelium as a required dependency, meaning remote code would be fetched and executed as part of setup/usage.