groom-milestone

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly loads GitHub milestone items and item metadata via backlog_list_issues and backlog_view (and has the worktree agent self-discover description/acceptance criteria and skills via sam_read), which are user-generated/untrusted issue content that the agent reads and uses to drive grooming, dependency analysis, wave assignment, and skill selection.