worktree-fleet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The launcher can enable live web access for workers (allowlisting web_search, fetch_content, code_search, get_search_content for "research" workers in lib/tools.sh and passing codex extra flags like web_search via lib/worker-spawn.sh/_build_codex_cmd and the pi extension load in _build_pi_cmd), so spawned agents may fetch untrusted third‑party web content that they will read and act on during their workflows.