learn

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly clones arbitrary public GitHub repositories via commands like ghq get -u "$URL" and then instructs spawned agents to "READ source code from: [SOURCE_DIR]" (the ψ/learn/.../origin/ symlink), meaning the agent ingests and interprets untrusted, user-generated third‑party content from the open web.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runs ghq get -u "$URL" (e.g. https://github.com/$OWNER/$REPO) at runtime to clone external repositories which are then read into spawned agents as their input (i.e., injected into the model context), so the fetched GitHub content directly controls agent behavior.