to-issues

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Process step 1 explicitly says that "if the user passes an issue reference (issue number, URL, or path) as an argument, fetch it from the issue tracker and read its full body and comments," which means the agent will ingest user-generated issue tracker content (potentially open/public) and use it to drive decisions and publish new issues.