planning-with-files-es

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the skill's workflow (SKILL.md and templates/findings.md) explicitly instructs the agent to record web/search/browser results into findings.md (and session-catchup.py reads prior session messages), while a PreToolUse hook rereads planning files (task_plan.md) before tool calls, so untrusted public/web/user-generated content is ingested and can materially influence subsequent tool use and decisions.