ce-work

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's workflow explicitly tells the agent to "review any references or links provided in the plan" (Phase 1 Read Plan) and to probe and interact with external trackers (references/tracker-defer.md describes probing/using GitHub Issues, Linear, Jira via CLI/API), so the agent will fetch and act on untrusted, user-generated third‑party content (tracker URLs/issues and arbitrary linked pages) which can change routing and tool-use decisions (e.g., whether/where to file tickets and how Defer options are labeled).