client-intake

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests untrusted, user-provided third‑party content — e.g., emails/forms/chats/webhooks and attachments via reception-orchestrator/email-parser/form-handler/chat-handler/attachment-processor and it even fetches and analyzes arbitrary external URLs (agents/extraction/tech-stack-detector.md's analyzeUrl/fetchHtml/wappalyzer) which are parsed and used to drive qualification, extraction and routing decisions, creating a clear avenue for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The tech-stack-detector includes an analyzeUrl routine that fetches and analyzes arbitrary external sites at runtime (example: https://www.example.com), pulling remote HTML into the agent context which can directly influence the agent's outputs and prompts.