design

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Phase 2 "Live Research" explicitly instructs the agent to use the Gemini CLI or WebSearch to fetch and ingest current open-web OSS library pages (GitHub/npm/public websites) and use those findings to choose libraries for the catalog, meaning untrusted third-party content is read and can materially influence subsequent decisions and actions.