gastown

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and read external repositories and pages (e.g., "GitHub Repository: https://github.com/steveyegge/gastown", "Use WebFetch to read specific files from the repo", and the gt rig add flow which requires GitHub URLs and reading references/tutorial.md), so it will ingest and interpret untrusted, user-provided third‑party content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.75). The skill explicitly instructs the agent to act as the system's operator and execute arbitrary shell commands (install software, run gt/ bd commands, run "gt doctor --fix", start/stop services, create workspaces, etc.), which gives the agent broad ability to modify the machine's state and perform system-level changes even though it doesn't explicitly demand sudo or user creation — this delegation of terminal control is a high-risk pattern.