review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). The workflow reads outsider-authored free text from the issue tracker (e.g., issue/PR descriptions and comments) via docs/agents/issue-tracker.md when step 2 fetches the originating spec from issue references, and that fetched prose is then ingested into the Spec sub-agent’s LLM context.