scratch-pad

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The scratch-pad explicitly logs external tool results (e.g., examples showing log-tool "web_search" and mcp__perplexity__search) and the integration pattern reads the scratch file (manager.read / python ... read) for use in responses, so it clearly ingests and exposes untrusted public web-search/tool output for the agent to interpret.