github-url-intercept

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill automatically parses any github.com URL and issues gh API calls or runs local scripts to fetch PRs, issues, files, commits, and comment content from public GitHub (see SKILL.md "Process", "Examples", and scripts/test_url_routing.py), so it ingests untrusted, user-generated third-party content which the agent then reads and uses to answer/analyze, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches GitHub data at runtime (e.g., gh api "repos/{owner}/{repo}/contents/{path}?ref={ref}" and other gh api endpoints) and uses the returned content to build the agent's context/answers, so external GitHub responses can directly control prompts.