project

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill clones and reads arbitrary public GitHub repositories (e.g., scripts/reunion.ts uses ghq get and scans link.target for ψ/memory, learnings, retrospectives; scripts/index.ts reads those generated manifests and the SKILL.md describes calling oracle_learn), so untrusted, user-generated repo content from the open web is ingested and can directly influence indexing/learning and subsequent agent actions.