backport-pr

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill directly fetches and parses public, user-generated GitHub content (e.g., via "gh pr view", "gh pr list", and "gh issue view" against microsoft/aspire to read PR bodies, comments, and linked issues) and uses that content to make decisions and draft the backport PR template, so untrusted third-party text could materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill runs gh commands that fetch live GitHub content at runtime (e.g., via the GitHub API endpoint like https://api.github.com/repos/microsoft/aspire/git/refs/heads/ and gh pr view) and injects PR/issue text into the agent's drafting process, so external content from that URL directly controls prompts and is a required dependency.