beads

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The beads-worker workflow explicitly polls bd ready and parses bd show <task_id> --json (task titles, descriptions, labels, and comments stored in the .beads/ repo and coming from collaborators) and then uses those user-provided fields (including "Suggested Skills" blocks and delegated Task(subagent_type="Explore", prompt="...")) to select and activate skills/subagents, so untrusted task text can directly influence agent actions.