position

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required "3. Regenerate live state" step instructs the agent to follow profile-prescribed session-start actions verbatim and explicitly cites examples that read user-generated third-party content (e.g., tailing a "#general" chat and running "gh pr list" to load GitHub PRs), so the agent will ingest and act on untrusted external content.