dig

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly clones and explores public GitHub repositories (step 2: git clone https://github.com/{owner}/{repo}.git into /tmp/cc-repos and step 3: launching a Research agent to traverse the repository) so the agent ingests untrusted, user-generated code and documentation that it reads and uses to drive answers and actions, creating a clear vector for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill performs runtime clones using URLs like https://github.com/{owner}/{repo}.git into /tmp/cc-repos and then launches a Research agent that ingests and uses the repository contents to formulate prompts/answers, so the fetched external content directly controls agent instructions and is a required runtime dependency.