notifications

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches user-generated GitHub notifications via the command shown in SKILL.md ("gh-manager notifications list --repo owner/name" in Step 1), reads PR/issue/comment text from GitHub, and uses that content to triage and decide actions (e.g., what to mark read), so untrusted third-party content can materially influence agent behavior.