exploring-mcp-sessions

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The workflow uses posthog:execute-sql to read events (HogQL over stored tool-call properties like $mcp_intent), which are outsider-authored free text originating from other agent runs/clients, and that text is then fed into the LLM when the typed tool posthog:mcp-analytics-sessions-generate-intent “summarises the recorded $mcp_intent values via an LLM”.