customer-persona

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Step 1: Research" explicitly instructs running belt app commands (e.g., belt app run tavily/search-assistant and belt app run exa/search) to fetch and ingest open/public web search results (surveys, blogs, forums, etc.) which the agent is expected to read and use to shape persona decisions, creating a clear vector for untrusted third-party content to influence behavior.