gh-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill documents many commands that fetch and display public, user-generated GitHub content (e.g., gh issue view, gh pr view, gh gist view, gh repo clone, gh browse, and gh api) which cause the agent to read arbitrary third-party repository issues, PRs, comments, gists, and web pages from GitHub or external URLs.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt contains explicit installation commands using sudo that write to system locations (e.g., /usr/share/keyrings and /etc/apt/sources.list.d) and run apt install, which require elevated privileges and modify the machine state.