building-github-index

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's scripts (scripts/github_index.py and scripts/pk_index.py) explicitly download public GitHub repo tarballs via the GitHub API (see fetch_tarball and the "API Access"/"Network" sections in SKILL.md) and parse README/markdown/notebooks/code to build indexes, meaning it ingests untrusted, user-generated repository content that the agent reads and uses to drive retrieval and project-knowledge decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The scripts download repository tarballs at runtime from https://api.github.com/repos/{owner}/{repo}/tarball/{branch} (and reference https://api.github.com/repos/{owner}/{repo}/contents/PATH?ref=BRANCH), then parse and inject the fetched repo content into generated indexes that are used as Claude project knowledge—so external content fetched at runtime directly controls the agent's context/prompts and is required for the skill to operate.