new-sep

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The skill fetches outsider-authored spec diff content from GitHub PR files via gh api .../pulls/<NNNN>/files and .../contents/<path>?ref=..., then reads the added patch/file text to extract RFC 2119 requirement sentences that are inserted into the generated YAML/LLM context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill executes GitHub API calls at runtime to fetch PR diffs and file contents (e.g., gh api "repos/modelcontextprotocol/modelcontextprotocol/pulls//files" and gh api "repos/modelcontextprotocol/modelcontextprotocol/contents/?ref="), and that fetched spec text is directly consumed to generate the YAML (i.e., remote content controls the agent's output).