team-issue

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill repeatedly loads and parses external issue text via calls like Bash("ccw issue status --json") (explicitly accepting GH- GitHub IDs) and uses those user-generated issue details to drive exploration, planning, execution method selection, CLI prompts, and task creation—so untrusted third-party content is read and can materially influence agent decisions and tool use.