spec

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required Phase 2 "Investigate" workflow explicitly launches a "Web research agent" to gather "How do others solve this? Current best practices, docs (Gemini)" (see the Phase 2 Investigate table in SKILL.md), which clearly entails ingesting public/untrusted web content that can influence product decisions and follow-up actions, so it can enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes gh issue view $1 --comments, which at runtime fetches GitHub issue content (e.g. https://github.com///issues/) and injects that external text into the agent's prompts as required input, so that remote content directly controls the agent's instructions.