sync-cases

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly pulls and ingests test scenarios from the third‑party Testomat.io service (see "Pull Changes" in SKILL.md and the "Pull" command in references/TESTOMATIO_CLI.md); those test cases are user-generated/untrusted Markdown that the agent is expected to read/parse and that can influence subsequent push/sync actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly requires invoking npx check-tests@latest at runtime (which fetches and executes the package from the npm registry, e.g. https://registry.npmjs.org/check-tests), so external content is retrieved and executed as a required dependency.