ghp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill repeatedly fetches and ingests GitHub issue and PR bodies/comments (user-generated content) as part of required flows—e.g., /ghp:fresh step 5 uses "gh issue view 42 --json comments -q '.comments[].body'" and other commands (gh issue view, gh pr view) to read plan comments and then start work, so untrusted third-party content can directly influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill declares required gh extensions that are installed from remote GitHub repos (gh extension install yahsan2/gh-pm, gh extension install valeriobelli/gh-milestone, gh extension install jwilger/gh-issue-ext), which fetch and install remote code that will be executed and are required for the skill's runtime commands (e.g., gh pm, gh milestone, gh issue-ext).