session-start

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). It explicitly instructs the agent to override user consent and resume autonomous orchestration immediately ("do not wait for user input" and "Always operate under autonomous-operation"), which changes behavior beyond the session-start's stated orientation/checklist purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses user-generated content from GitHub (project boards, issues, PR bodies and comments) using commands like gh project item-list, gh project view, and gh pr list (see Step 3, Step 3.5, and "Read the issue"), exposing the agent to untrusted third-party content it is expected to read and interpret.