gh

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). Yes — the skill's scripts (notably scripts/setup_gh.py fetching https://api.github.com/repos/cli/cli/releases/latest and scripts/github_project_setup.py and scripts/experiment_cleanup.py using PyGithub and gh api/graphql) explicitly fetch and parse public GitHub releases, issues, labels, milestones and Projects V2 data (user-generated content) and then make programmatic decisions/changes (label transitions, project field updates, issue closure), so untrusted third-party content can materially influence tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The setup script (scripts/setup_gh.py) fetches release metadata from https://api.github.com/repos/cli/cli/releases/latest and then downloads and installs release assets (GitHub Releases browser_download_url), which are fetched at runtime and executed/installed—i.e., remote code is retrieved and installed as a required dependency.