four-risks

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow explicitly says it "Fetches issue details from Linear or GitHub (if MCPs configured)" and then reads/analyzes those issue descriptions and can add comments, so untrusted user-generated issue content from GitHub/Linear could inject instructions that influence the agent's assessments or follow-up actions.