skill-studio

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's workflow includes a required "propose-from-session" ingest path (SKILL.md Step 0 and cmd_propose_from_session in cli.py) that reads arbitrary transcripts from a user-supplied path or discovered Claude Code sessions (see src/skill_studio/ingest/transcript.py and src/skill_studio/ingest/proposer.py) and runs an LLM over that untrusted, user-generated content to produce a DesignJSON patch that can be applied and influence subsequent questions and actions—so external transcript content can materially change agent behavior.