filesystem-context

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly offloads and later reads arbitrary tool outputs (e.g., simulated "web_search" results with URLs in the demo, ToolOutputHandler/ScratchPadManager patterns, and TerminalCapture that persists command outputs), meaning the agent will load and interpret untrusted public/web or user-generated content saved to the filesystem.