landing-report

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill claims to be read-only but embeds numerous hidden/deceptive executable instructions (telemetry writes, touching marker files, config changes, optional git commits/removals, brain-sync prompts and other mutations) that alter local state and can exfiltrate or change settings outside the advertised snapshot purpose, so this is a prompt injection.\

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly runs GitHub CLI calls (Step 1: gh pr view) and a helper (bun run bin/gstack-next-version in Step 3) that fetches PR/queue data (the .claimed JSON containing PRs/branches/URLs) and then reads/interprets that user-generated PR/worktree data to detect collisions and decide suggested actions, so it ingests untrusted third-party content from repo-hosted PRs (and even optionally opens a public URL in the LAKE_INTRO flow).