git-submodule

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs fetching and updating public repositories (e.g., "git submodule add https://github.com/example/lib.git", "git clone https://github.com/myorg/myproject.git", and "git submodule update --remote"), which clearly pulls untrusted, user-generated content from public Git hosts and expects the agent to operate inside and act on those submodules (cd into them, update/merge), so third-party content could materially influence subsequent actions.