plan-rollout

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to fetch and interpret user-provided PR diffs (SKILL.md, step "1. Analyse the diff" — e.g. "gh pr diff ") and to run telemetry/deploy probes that query external telemetry and deploy APIs (scripts/probe_telemetry_tools.sh and steps 4/7 that query Datadog/Honeycomb/Prometheus/Verce/gh/etc.), so it ingests untrusted, user-generated third‑party content and uses that content to drive decisions and subsequent actions.