forward

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md "Then: gather cleanup context" step explicitly runs gh pr list and gh issue list to read GitHub PRs/issues (user-generated, potentially public content) and instructs the agent to include that output in the plan, meaning untrusted third-party text is fetched and used to influence decisions about cleanup and next actions.