plan

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs "If an issue number is given, fetch it with gh issue view $ARGUMENTS" which causes the agent to ingest and act on GitHub issue text (user-generated, potentially public) as the starting point for plans, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs "gh issue view $ARGUMENTS" at runtime to fetch a GitHub issue (e.g., https://github.com/{owner}/{repo}/issues/{number}), and that fetched issue content is used as the starting point for planning, so external content can directly control agent prompts.