gh-tasks

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly loads and interprets GitHub user-generated content (issue bodies, PR diffs and comments) via gh commands in required workflows (e.g., orchestrate.md stages that run gh issue view and the Task prompt "Read the issue for the plan", work.md and plan.md parsing issue bodies and gh pr view), so untrusted third-party content from GitHub is read and used to drive agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The orchestrate sub-skill fetches the GitHub issue body at runtime via the gh CLI (e.g., GitHub issue URL https://github.com/{owner}/{repo}/issues/) and injects that fetched issue/plan content into the Task/subagent prompt, so remote content directly controls agent instructions.