worktree-fleet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The launcher explicitly allows workers to perform web searches/fetches as part of their runtime: lib/tools.sh sets a codex extra flag (-c 'web_search="live"') for "research" workers and get_disallowed_tools does not block WebFetch/WebSearch for research, and those flags/permissions are passed into worker commands in lib/worker-spawn.sh and scripts/launch.sh, so agents can fetch and interpret untrusted public web content during execution.