plannotator-annotate

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md instructs running "plannotator annotate " (accepting URLs) and to "wait for the browser review" and "if annotations are returned, address them directly," which means the agent will load and act on annotations derived from arbitrary public URLs/third-party content presented in the Plannotator UI.