major-task

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to fetch and read public, user-generated tracker content (e.g., "GitHub issue URL: fetch it with gh issue view" and "GitHub PR URL: fetch it with gh pr view" and to read comments/attachments), so untrusted third‑party content can directly influence decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly fetches GitHub issue/PR pages and clones repositories at runtime (e.g., via commands like gh issue view, gh pr view, and git clone), meaning external content from URLs such as https://github.com/... can be fetched during runtime and directly control the agent's source-of-truth and prompts.