plan-design-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and reads remote, potentially public content as part of its required workflow—e.g., Step 0 and GBrain Sync use git remote/get-url, gh/glab commands, and git fetch/merge to read PR/repo data, the skill can run codex exec with web_search_cached and even open external URLs (e.g., https://garryslist.org), so untrusted third-party/user-generated content is ingested and used to drive decisions and tool actions.