github-ops

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes a "Memory Protocol" that instructs the agent to read and write .claude/context/memory/* files and to "assume interruption," which are hidden/persistent behavior directives unrelated to the stated GitHub CLI reconnaissance purpose and thus constitute a deceptive instruction injection.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly uses the GitHub CLI to list and fetch repository files (e.g., SKILL.md commands like gh api repos/{owner}/{repo}/contents and the implementation/template steps that fetch .content), causing the agent to ingest untrusted, user-generated content from public GitHub repositories which can influence subsequent tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes GitHub API endpoints at runtime (e.g., gh api repos/{owner}/{repo}/contents/{path} — https://api.github.com/repos/{owner}/{repo}/contents/{path}) to fetch repository files such as SKILL.md and .claude/context/memory/learnings.md which can be injected into the agent context and directly control prompts, making this an external runtime dependency that affects agent instructions.