holmesgpt

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests user-generated public content (e.g., "holmes investigate github --github-repo owner/repo" in references/commands.md and the "internet" toolset in references/data-sources.md), and the agent is instructed to read/interpret that external content and can act on it (e.g., --update to write back or drive investigations), which could allow indirect prompt-injection from untrusted third-party sources.