session-inspector

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and parses public GitHub issue comments via the "extract-session-from-issue" command (documented in SKILL.md and references/tools.md), ingesting user-generated content which the agent interprets to reconstruct sessions and drive follow-up actions (e.g., creating PRs), so it can be influenced by untrusted third-party input.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes a runtime command that fetches GitHub issue comments to reconstruct session XML (extract-session-from-issue ), which causes the agent to ingest externally-hosted content such as "https://github.com/owner/repo/issues/123" and that fetched content can be fed into the extraction/distillation pipeline and thus directly influence model prompts—so this is a runtime external dependency controlling agent input.