Pulling Updates from Skills Repository

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow explicitly fetches and merges updates from an upstream remote (Step 3: "git fetch $TRACKING_REMOTE" / falls back to "git fetch upstream" for obra/superpowers-skills) and then inspects (Step 4: "git log HEAD..@{u}") and merges/runs those commits (Steps 5–8), so it ingests and acts on untrusted third-party repository content that could influence subsequent actions.