github-multi-repo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md workflow contains numerous Bash/gh commands that auto-discover, gh api fetch, and clone GitHub repositories and their files (e.g., "gh repo list ...", "gh api repos/:owner/:repo/contents/package.json", and cloning in /tmp), meaning the agent will read untrusted, user-generated third-party repository content from GitHub and act on it (tests, commits, PRs), which could enable indirect prompt injection.