ats

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and ingests user-generated task data, message parts, and real‑time events from the ATS server (see commands like ats get, ats message list and ats watch which call API paths like /orgs/.../tasks, /.../messages and the /ws WebSocket), so untrusted third‑party content from those endpoints can be read and could contain instructions that influence agent decisions or follow-up actions.