claude-code

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly allows fetching and ingesting untrusted public content — e.g., references/mcp-integration.md documents Brave Search, Puppeteer (web scraping), and remote MCP servers with arbitrary URLs, and references/hooks-and-plugins.md shows installing plugins from GitHub or arbitrary URLs and commands like /fix-ci that accept public GitHub run URLs — so the agent will read/interpret third-party user-generated content, enabling indirect prompt injection.