hosted-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs cloning and reading repositories for sandbox images ("Cloned repository at a known commit") and uses GitHub authentication/PR flows plus a Chrome extension that extracts DOM/React internals from pages, so untrusted public/user-generated content from GitHub or arbitrary web pages would be read and used to drive agent decisions and tool actions (commits, PRs, session spawns), enabling indirect prompt injection.