pick-next-issue

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly runs gh issue list and gh issue view (Steps 1 and 4) to fetch GitHub issue bodies and comments (user-generated, untrusted content) and then uses that text to drive planning and invoke /turboplan, so third-party issue content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes the gh CLI to fetch GitHub issue bodies at runtime (via github.com / the GitHub API) and then passes those raw issue texts into the /turboplan skill as the task description, meaning remote GitHub content can directly control the agent's prompts.