issue

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches user-generated GitHub content with "gh issue view N" and invokes a "Web researcher" sub-agent to research best practices from the open web as part of /issue enrich, and that external content is then used to rewrite issues and run gh issue edit—so untrusted third-party content can directly influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill calls GitHub via the gh CLI (e.g., gh issue view → GitHub API at https://api.github.com) at runtime to fetch issue bodies which are then injected into agent prompts/sub-agent instructions, so remote content can directly control agent behavior.