checkpoint-persistence

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads and interprets GitHub issue bodies and comments (e.g., "读档" / "read": "读取 issue 正文摘要和最近评论" and commands like gh issue view <id> -R <owner>/<repo> --comments) to restore state and determine next actions, exposing the agent to untrusted, user-generated third‑party content that can influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly reads and restores context from GitHub issue bodies and comments at runtime (via gh/git operations against the repository remote e.g. https://github.com// or git@github.com:/.git), so externally-fetched issue/comment content can directly control agent prompts and behavior.