yeet

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests user-generated GitHub content (issues, PRs, comments, discussion categories, and repository templates)—for example, references/comment-issue.md's "Fetch Issue Context" uses gh issue view to read issue title/body and recent comments, and create-issue.md / create-discussion.md fetch .github templates via gh api repos/.../contents/...—and the agent is required to read and act on that content when composing comments, issues, or discussions, exposing it to untrusted third-party input that could carry indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches repository templates at runtime (e.g., via "gh api repos/{owner}/{repo}/contents/.github/ISSUE_TEMPLATE/{template_name} --jq '.content' | base64 -d" and "gh api repos/{owner}/{repo}/contents/.github/DISCUSSION_TEMPLATE/{template_name} --jq '.content' | base64 -d"), then parses and injects that content to generate issue/discussion/PR bodies, so remote content can directly control the agent's prompts/output.