github-conversation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to use gh-llm to read GitHub PR/issue timelines, collapsed review threads, and checks (e.g., "Read a PR" and "Reading workflow" sections), which are public, user-generated GitHub contents the agent must ingest and act on—exposing it to untrusted third-party content that could inject instructions.