spec-plan

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md Workflow step 1 explicitly instructs the agent to read GitHub issues (gh issue view ... --json body,title,comments) and their comments—user-generated third-party content the agent must interpret to drive decisions—so it can ingest untrusted external input that could influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs running a runtime fetch of a GitHub issue (e.g., via "gh issue view ISSUE_NUMBER --repo ORG/REPO" which corresponds to accessing URLs like https://github.com/ORG/REPO/issues/ISSUE_NUMBER) and then uses that fetched issue body/comments to drive questions and agent prompts, so remote content would directly control the agent's prompts.