workflow-rig

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly shows the rig running shell handlers that perform git clone/commit/push and accepts a --repo-url , and the infer handler is described as a "full pi agent" that reads and edits files from those repos—meaning arbitrary public/untrusted git repositories can be fetched and their contents can directly influence agent actions.