localref

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow explicitly instructs the agent to shallow-clone GitHub repositories (git clone https://github.com/owner/repo.git to /tmp/ref-) and curl arbitrary URLs/tarballs into /tmp for searching and reading, so untrusted third‑party content would be ingested and could influence subsequent actions.