changeflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly monitors and ingests arbitrary public websites (see SKILL.md "create_source" which takes a url to "Monitor any website" and the README "start monitoring any URL"), and returns AI-enriched change summaries/get_change details that the agent is expected to read and act on, exposing it to untrusted third-party content.