gh-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs runtime commands that fetch and read public, user-generated GitHub content (e.g., gh issue view/list, gh pr view/list, gh gist view, gh api, gh repo clone) and shows workflows such as "Bulk Operations" that use those results to drive follow-up commands, so untrusted third-party content from GitHub can influence tool actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill includes explicit installation steps that use sudo and write to system directories (e.g., dd to /usr/share/keyrings.gpg and tee to /etc/apt/sources.list.d), which instruct modifying system files that require elevated privileges and thus could change the machine state.