signals-scout-feature-flags

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The skill’s runtime LLM context is populated with event-derived values from $feature_flag_called (specifically properties.$feature_flag and $feature_flag_response), which are explicitly untrusted outsider-authored free text that can be attacker-controlled via the capture token; the ghost-pattern SQL then surfaces these strings for reporting.