github-kb

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs using the gh CLI to search, view, and clone public GitHub repositories (e.g., "gh repo view", "gh search repos/issues/prs/code", and cloning into ~/workspace/github-kb" and then reading those repo files), which pulls untrusted, user-generated third-party content that the agent is expected to read and act on.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill performs runtime git/gh clones (e.g., git clone https://github.com/<owner/repo>.git or gh repo clone <owner/repo>) and then reads repository files into the agent context to answer user queries, so fetched remote content can directly control prompts/instructions.