fork

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt contains explicit post-execution instructions to locate and edit the skill's own SKILL.md (persisting changes so "the next invocation inherits whatever you leave behind"), which directs the agent to modify its own skill/documentation outside the stated purpose of creating/configuring a fork workflow.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The workflow explicitly reads and acts on external GitHub data — e.g., Step 0.4 uses git remote get-url to parse origin/upstream, Step 0.5 runs gh api user, and Steps 2.1/3.1 call gh repo fork / gh repo view — these are untrusted, user-generated GitHub resources whose contents are parsed and directly drive fork/remotes and subsequent git/gh actions.