open-responses

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly defines and requires an agentic loop with function/tool calls (see SKILL.md "Tools" and "Agentic Loop Pattern") and documents custom web-search/tool result items (references/extensions.md example acme:web_search_call containing URLs/snippets and references/protocol-and-items.md showing input_image as a URL), which means the agent will ingest and act on untrusted public web/user-generated content returned by those tools.