openproject

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly fetches and processes user-generated content from an external OpenProject instance (configured via OPENPROJECT_URL) — e.g., op.py and SKILL.md show calls to list_work_packages, list_activities/get_wiki_page, list_documents, notifications, and attachments (openproject-work-packages, openproject-documents, openproject-notifications) which the agent reads and can use to drive actions like creating/updating work packages or marking notifications, so arbitrary third-party content could supply instructions that influence tool behavior.