gh-bootstrap

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly clones and reads public GitHub repositories defined in specs/template-catalog.md and phases/04-execution.md (e.g., git clone --depth 1 https://github.com/{owner}/{repo} into .gh-bootstrap-cache/) and then uses those untrusted, user-visible templates as the authoritative source to generate and write configuration files, so third-party content is ingested and directly influences generation and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs runtime git clone of template repositories (e.g., git clone --depth 1 https://github.com/actions/starter-workflows into .gh-bootstrap-cache/) and requires those external templates to be read and copied as-is into .github/workflows — meaning the fetched content (workflow YAML) is a required dependency and can cause remote-executed CI actions, so this URL is a high-confidence runtime risk: https://github.com/actions/starter-workflows