biweekly-report

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md Step 2 explicitly instructs the agent to read and ingest user-generated content from Slack channels and GitHub repos (via the slack_user_cli and gh commands), which are untrusted third‑party sources that the agent parses and uses to drive report generation and thus could carry indirect prompt-injection instructions.