jaan-issue-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The workflow explicitly fetches and reads GitHub issue bodies and comments using "gh issue view {ID} --repo parhumm/jaan-to" (Step 0.2 / Step 0.4), which are untrusted user-generated third‑party contents that the agent is required to interpret and use to drive planning and tool actions, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes the GitHub CLI at runtime (gh issue view {ID} --repo parhumm/jaan-to), which fetches issue content from GitHub (e.g., https://github.com/parhumm/jaan-to/issues/{ID}) that is then used to drive planning and agent instructions, so the external issue content can directly control prompts.