planning-with-files

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to perform "view/browser/search" operations and write "web/search results" and "browser returned data" into the planning files while a PreToolUse hook re-reads task_plan.md (and the workflow requires reading findings.md) before decisions, so open/public web/search/browser content (untrusted third-party pages) is ingested and can materially influence subsequent tool use and actions.