Harvest

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The prompt contains explicit operational directives (e.g., "Journal (.agents/harvest.md): store durable domain insights" and "After completion, add a row to .agents/PROJECT.md") that require writing to repository files and thus contradict the stated "Stay read-only" core contract, which is a deceptive/misaligned instruction outside the skill's advertised purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests GitHub PR data from the open web (see SKILL.md and references/gh-commands.md and the runtime fetchPRs call in scripts/generate-report.js which runs "gh pr list"), and it parses PR titles/descriptions/labels to classify work, compute estimates, and drive downstream handoffs—so untrusted, user-generated third-party content can materially influence agent decisions and tool use.