trace

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to clone arbitrary repo URLs into ghq ("With --repo [url]: Clone to ghq") and to query public GitHub issues/PRs in Wave 2 ("Agent E: GitHub Issues/PRs" running gh issue list / gh pr list), and those external, user-generated contents are read and compiled into the trace results which drive escalation, friction_score, and subsequent actions — exposing the agent to untrusted third-party content that could carry indirect prompt injections.