workbench

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly supports writing and running code that fetches external APIs ("/workbench write a script that fetches data from an API and processes it" in Usage and the "Prototype" examples), allows installing packages from public registries (e.g., "docker exec cc-workbench pip install pandas") and pulling images like "postgres:16" in the Custom Environments example, and its Dockerfile runs apt-get — together showing the agent will ingest untrusted third-party content (web APIs, package registries, container images) that can influence subsequent tool use and decisions.