subway

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill instructs running a node script that uses the gh CLI to create/update GitHub Issues (node ${CLAUDE_PLUGIN_ROOT}/skills/subway/orders/index.js), which implies reading and interpreting existing GitHub issue content (public, user-generated) as part of its workflow, exposing the agent to untrusted third-party content.