golang-dependency-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). Yes — the SKILL.md "Ask Before Adding Dependencies" rule explicitly tells the agent to check GitHub metadata (e.g., "check via gh repo view" and report stars/last commit/maintenance), which requires fetching and interpreting untrusted public GitHub content that can directly influence dependency-selection and subsequent tool actions.