github-multi-repo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — SKILL.md explicitly instructs the agent to fetch and decode repository files from GitHub (e.g., Bash(gh api repos/:owner/:repo$contents$package.json --jq '.content' | base64 -d) and gh repo list ... / gh repo clone org/$repo in multiple sections), meaning it ingests untrusted, user-generated repo content which directly drives decisions (which repos to update, tests to run, PRs to create).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill issues runtime GitHub fetch/clone commands (e.g., "gh repo clone org/$repo" and "gh api repos/:owner/:repo/contents/ruv-swarm/docs/CLAUDE.md") and then runs npm install/npm test and other local commands, which means it fetches remote repository code/content at runtime that is executed or can contain agent command files—creating a clear runtime dependency that can execute remote code or control agent behavior.