filesystem-context

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md examples and workflow (e.g., "Example 1: Tool Output Offloading" and related sections) explicitly show web-search results and other tool outputs (public URLs / search results) being written to scratch files and later grepped/read by the agent, meaning untrusted public third‑party content is ingested and used to drive decisions.