knowledge-ops

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md ingestion and sync workflows explicitly instruct the agent to pull and ingest user-generated content from public sources—e.g., "GitHub issues, PRs, discussions" and "Browser bookmarks" under "Layer 1" and "Cross-Source Knowledge Sync"—which the agent is expected to read and then act on (update issues, commit/push, synthesize), creating a clear vector for indirect prompt injection.