planning-with-files-ar

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md and templates/findings.md) instructs the agent to ingest/write web/search results and other external resources into findings.md (and task_plan.md is automatically re-read by a PreToolUse hook), and session-catchup.py also parses prior session messages from ~/.claude/projects — meaning untrusted, user-generated third-party content is read and can directly influence tool calls and decisions.