git-kb-capture

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads and searches content from an arbitrary GitHub repository specified by GIT_KB_REPO (see SKILL.md Step 3 and scripts/gh_kb_helper.sh functions like get_markdown_files, read_file, and read_frontmatter), and it uses that repository content to decide where and how to save/merge notes, so untrusted user-generated repo content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill uses the GitHub API via the gh CLI at runtime (e.g., gh api calls like repos/$REPO/contents/$path and the derived URL https://github.com/$GIT_KB_REPO/blob/main/{file_path}) to fetch markdown/frontmatter from the user's repository, and that fetched content is read and used to determine/drive the agent's suggestions and file creation behavior, so external repo content can directly influence agent prompts.