design-shotgun

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's startup "Artifacts Sync" flow explicitly runs git fetch/merge on the user's ~/.gstack repo and calls gstack-brain-sync (which can pull artifacts from a remote URL or a remote gbrain MCP server per the "_BRAIN_SYNC" and "GBRAIN_MCP_MODE" logic), so it can ingest untrusted/user-generated content from remote Git remotes or indexed repositories and then use those artifacts (DESIGN.md, approved.json, taste-profile.json, etc.) to influence generation and tool actions.