gh-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs using gh to fetch and parse public, user-generated GitHub content (e.g., "gh issue view 123 --json title,body,comments", "gh gist view abc123", "gh api /repos/owner/repo" and search/--jq pipelines) and shows workflows that use that output to drive actions (xargs to close issues, gh pr merge, etc.), so untrusted third-party content from GitHub can be read and can materially influence subsequent tool use.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt includes installation and configuration commands that use sudo and modify system files (e.g., writing to /usr/share/keyrings and /etc/apt/sources.list.d) and suggests insecure auth/storage options, which would cause an agent to change the host system state if executed.