github

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and interprets user-generated content from public GitHub (e.g., get-file-contents, search-code, get-pull-request-comments and other search/list/get commands shown in SKILL.md and scripts/github.ts), and those results can be read by the agent and used to drive follow-up actions like reviews, commits, or merges, which enables indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill spawns "npx -y @modelcontextprotocol/server-github" at runtime (embeddedServer.command.args), which causes npm to fetch and execute remote package code that the skill requires to run, so this runtime external dependency executes remote code.