filesystem-context

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs agents to offload and later re-read large web search/tool outputs (e.g., SKILL.md "Example 1: Tool Output Offloading" and scripts/filesystem_context.py demo where a "web_search" large_output with URLs is written to scratch and then grepped/read), meaning untrusted public/web content is ingested and used to drive agent decisions and actions.