pma-mem

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's knowledge-sync workflow (references/knowledge-sync.md, Step 2 "Extract Content" and the BKD/GitHub examples) explicitly instructs the agent to pull and analyze user-generated issue comments/conversation logs from external systems (BKD, GitHub, Linear) and then classify and act on that content (create/update memos, mark source items, trigger automation), so untrusted third-party text could influence agent decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime calls to external issue sources (e.g. $BKD_URL endpoints such as "$BKD_URL/projects/$PID/issues/$ISSUE_ID/logs/..." and GitHub via "gh issue view") to fetch full conversation/history and inject that content into the agent context, which can directly control or influence agent prompts (prompt‑injection risk) and is required for the sync workflow.