obsidian-gh-knowledge

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads and searches files from arbitrary GitHub repositories using scripts/github_knowledge_skill.py (via gh api) and SKILL.md even instructs the agent to "read" and "follow" an in-repo AGENTS.md (which can be user-generated), so untrusted third-party repo content can be ingested and alter agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls the GitHub API at runtime (e.g., via "gh api repos///contents/") to fetch repository files, and the SKILL.md explicitly instructs the agent to read and follow an AGENTS.md from the repo—which means remote repo content can directly control agent instructions.