puff

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow explicitly includes launching a "join-operator" against an arbitrary repository and patch inbox (see SKILL.md and references/commands.md: run_puff_tool join-operator --env <env-id-or-label> --repo <owner/repo> --patch-inbox <locator>), which means the agent will fetch and interpret user-generated PR/patch content from third-party repos and use it to drive cloud actions, creating a clear path for indirect prompt injection.