filesystem-context

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly instructs agents to write and later read large tool outputs such as web search results to filesystem scratch files (see "Pattern 1: Filesystem as Scratch Pad" and "Example 1: Tool Output Offloading") and to use grep/read_file to retrieve and act on that content, which means untrusted public web or user-generated content can be ingested and influence agent behavior.