github-checkpoint-persistence

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly reads and restores context from GitHub issues and comments (user-generated content) — e.g., SKILL.md Step 5 shows using “gh issue view -R / --comments” and Step 4 / references/github-persistence-schema.md require extracting fields from issue bodies and latest comments — which are untrusted third-party sources that can influence agent decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs GitHub CLI commands at runtime (e.g., gh issue view -R <owner>/<repo> --comments) to fetch issue/comment content from GitHub (e.g., https://github.com///issues/), and that fetched content is used to restore agent context and therefore directly controls the agent's prompts/resume behavior.