create-git-issue

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The "Skill Isolation" section explicitly orders the skill to act as the sole authority for the session and to suppress or ignore other skills/external activations, which is an instruction to override session/system behavior and thus is a deceptive/out-of-scope directive relative to the skill's stated purpose of creating and publishing PRDs/issues.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content instructs the skill to unilaterally take sole authority over the session (suppressing other skills) and explicitly tells operators to attempt running commands "outside sandbox" to check GitHub CLI availability—both are clear attempts to subvert platform controls and enable actions outside intended confinement, which are high-risk indicators of malicious intent or backdoor behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly requires fetching and reading an issue's body and comments when the user provides an issue reference (issue number, URL, or path)—e.g., GitHub issues—which are public, user-generated content that the agent will interpret and use to draft PRDs and decide next actions.