ci-cd

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly calls out using the GitHub CLI ("gh api") to look up commit SHAs for third‑party actions (see "How to Find the SHA" and "Assumptions"), which involves fetching and interpreting content from arbitrary public GitHub repositories that are user-generated and untrusted.