workspace-init

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly clones and inspects arbitrary sub-repositories provided via user-supplied Git URLs (Phase 1.4 / Phase 2.4) and fetches template state from a public GitHub repo using gh api during Update mode, and it parses those third‑party files to decide commands, overwrite files, and apply updates—so untrusted repository content can materially influence the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime gh API calls (e.g., gh api repos/niracler/dev-config-template/commits/main and compare endpoints) to fetch files from the remote template (https://github.com/niracler/dev-config-template) and then overwrites/refills CLAUDE.md and other template files—i.e., it fetches external content at runtime that directly controls agent prompts/instructions and is relied upon for updates.