prd-to-issues

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Step 1 "Locate the PRD" explicitly instructs the agent to fetch the PRD with gh issue view <number> (with comments), meaning it ingests user-generated GitHub issue content (public/untrusted) and uses that content to drive decomposition and subsequent actions, so malicious third-party text could influence the agent's decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs fetching the parent PRD at runtime with gh issue view <number> (i.e., a GitHub issue URL like https://github.com///issues/), and that external issue content is injected/used to drive the agent's decomposition prompts and decisions.