runbook

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's loop prompt and seeding guide explicitly instruct subagents to consult an "Authority" that may be a URL and even to "look it up online" when needed (see references/loop-prompt.md fallback behavior and references/seeding-guide.md saying "A URL works — the loop will look it up"), so the agent will fetch and act on arbitrary public web content that can change its decisions.