gh-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md explicitly instructs use of gh commands that fetch and ingest public, user-generated GitHub content (e.g., gh repo clone owner/repo, gh gist view abc123, gh api /user, gh search, gh browse, and workflows like gh issue list --json ... --jq '.[].number' | xargs ... to close issues), so untrusted third-party page/content could be read and directly influence subsequent tool actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt contains explicit installation commands using sudo that write to system locations (e.g., /usr/share/keyrings and /etc/apt/sources.list.d) and run apt install, which require elevated privileges and modify the machine state.