skf-audit-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The workflow explicitly fetches and ingests remote, user-authored repo content and knowledge indices that can influence actions — e.g., Step 01 §5b runs git -C {source_root} fetch --tags ... origin and offers checkout gates based on upstream refs, Step 02 (Quick tier) may read source files via gh_bridge / gh api, and Step 04 (Deep tier) issues qmd_bridge queries against QMD collections — all required steps that read untrusted, third-party (user-generated) content and use it to change decisions and tool actions.