build-train

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill reads user-generated GitHub issue content via "gh issue view" and injects the issue title/body ($ISSUE_BODY_SUMMARY) directly into the worker LLM prompts, so untrusted third-party issue text can influence workers that create PRs and run gh commands.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill uses GitHub API calls at runtime (e.g., gh issue view / gh api repos/$REPO/... — e.g. https://api.github.com/repos/$REPO/issues/$ISSUE and https://api.github.com/repos/$REPO/git/refs) to fetch issue bodies which are injected into worker prompts (via $ISSUE_BODY_SUMMARY), so external content directly controls the agent's instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly spawns worker processes with the flag --dangerously-skip-permissions (bypassing permission checks) and instructs automated agents to execute and merge changes, which constitutes a security-bypassing behavior that can compromise the host environment.