kata-track-progress

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly invokes the GitHub CLI in the "report" step (e.g., gh pr list / gh pr view) to load PR metadata (title/state/url) from GitHub — a third‑party, user‑generated source — and that data is read and used to change routing/next actions (e.g., "Merge PR first"), so untrusted external content can influence behavior.