fishbone

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill instructs agents to source external configuration and data (system:load_env sources .env files from the script folder/cwd) and to fetch arbitrary remote data (examples and templates show curl -s "$API_BASE/items" and reference/script:check_version runs git remote update), so untrusted third‑party content can be ingested and influence subsequent tool use and decisions.