relay-plan

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the planner to "Read the task" from open/public sources including "GitHub: gh issue view " and "User-provided description" and to synthesize the issue body / inferred Done Criteria into the rubric and dispatch prompt, so arbitrary user-generated GitHub issue content would be read and can materially alter subsequent prompts and actions.