run-athena-flow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly clones and loads marketplace GitHub repos and plugin directories (references/workflows/marketplace.md, references/plugins/overview.md) which include SKILL.md prompt templates, and it exposes a browser MCP (agent-web-interface) that navigates arbitrary target URLs and returns semantic page snapshots (references/plugins/agent-web-interface.md), both of which are untrusted third-party content the agent reads and acts on as part of workflows.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Athena explicitly clones/updates marketplace repos at runtime (e.g. https://github.com/lespaceman/athena-workflow-marketplace) to load workflows and plugins whose SKILL.md and systemPrompt files are injected as agent prompts (and whose MCP configs can cause runtime command execution), so remote repo content directly controls prompts and can execute code.