daft-worktree-workflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs agents to run daft commands that clone arbitrary remote repositories (e.g., "daft worktree-clone ") and to execute repository-provided hooks and -x/--exec commands from the cloned repo (see "Hooks System (daft.yml)" and "Post-setup Command Execution (-x/--exec)"), meaning the agent will ingest and act on untrusted, user-provided repository content that can alter behavior.