backlog-md

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow explicitly tells the agent to "Read EVERYTHING" and "Open any attached files/URLs" (references/task-workflow.md Step 2) and the CLI reference shows adding --ref/--doc with external URLs (references/cli-reference.md), meaning the agent will fetch and interpret untrusted public URLs as part of its task workflow.