github-multi-repo

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the agent to fetch and clone arbitrary GitHub repositories and read repository contents (e.g., "gh api repos/org/$repo/contents/package.json" and "gh repo clone org/$repo"), which ingests user-generated third-party content that the agent then uses to decide and drive follow-up actions (updates, PRs, patches).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly clones and runs code from GitHub repositories at runtime (e.g., gh repo clone org/$repo /tmp/$repo and the repository URL github.com/my-org/frontend), then runs npm install/npm test which executes remote code, so those repo URLs are runtime dependencies that can execute code.