plan-dag

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). Outsider-authored free text is ingested into the LLM context via the skill’s runtime GitHub reads: it fetches issue bodies/comments and PR/review comments (e.g., mcp__github__issue_read get_comments, mcp__github__pull_request_read get_comments/get_reviews/get_review_comments) and then uses that prose to build the DAG IR that is rendered and summarized.