write

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md "Release Notes Pre-flight" explicitly instructs the agent to run gh release view --json body -R <owner>/<repo> (and to fetch sibling repos) to read public GitHub release bodies as style references, which are user-generated, open-web content the agent will ingest and use to influence formatting/decisions—creating a clear path for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's Release Notes Pre-flight requires running gh release view --json body -R <owner>/<repo> to fetch a project's recent release at runtime (e.g. https://api.github.com/repos///releases/latest), and the fetched release body is used as a required style reference that directly guides how the agent composes the output.