github-ops

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes a "Memory Protocol" that instructs the agent to read and write .claude/context/memory/* files and to "assume interruption," which are hidden/persistent behavior directives unrelated to the stated GitHub CLI reconnaissance purpose and thus constitute a deceptive instruction injection.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly uses the GitHub CLI to list, search, and fetch repository files (e.g., "gh api repos/{owner}/{repo}/contents" and "gh search code" in SKILL.md and the implementation template), which pulls arbitrary public, user-generated GitHub content that the agent is instructed to read and use to determine subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill executes gh api repos/{owner}/{repo}/contents/{path} (i.e., https://api.github.com/repos/{owner}/{repo}/contents/{path}) at runtime and explicitly mandates reading .claude/context/memory/learnings.md before starting, meaning fetched repository content can directly control agent prompts/memory and is a required dependency.