w00-workflow-checkpoint

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill explicitly reads and interprets user-generated GitHub issue content (e.g., using "gh issue view -R / --comments" and "gh issue list ...") as part of its required read/restore workflow, exposing the agent to untrusted third-party content that could contain injected instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes runtime GitHub issue commands (e.g., "gh issue view -R / --comments", accessing github.com repositories such as qiao-925/qiao-skills) to fetch issue/comment content which is used to restore checkpoint context and can therefore directly control agent prompts/state.