claude-code-harness-architecture

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's core workflow (conversationLoop + Tool System) explicitly includes web-facing tools—e.g., the "Browser: navigate, screenshot, extract" and "Search: web_search" tool categories in SKILL.md—and tool results are executed and fed back into the agent loop (executeTool yielding tool_result), meaning the agent will fetch and read untrusted public web content (and MCP-external server tools like mcp://github/...) that can influence subsequent decisions.