plan-dag

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow explicitly instructs the agent to pull issues/PRs and sub-issues from a GitHub-backed tracker (see "1. Discover" referencing mcp__github__issue_read and "3. Edge-build" which reads explicit prose from issue bodies and comments), i.e. user-generated, public/untrusted content that the agent must parse to build edges and decide sequencing, so third-party text could indirectly inject instructions affecting tool use and actions.