gaphunter

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the SKILL.md's Deep Mode explicitly fetches and ingests repository contents (local and via the GitHub gh API: e.g., "gh api /repos/{owner}/{repo}/contents/package.json", "git/trees/HEAD?recursive=1", and "Deep Mode reads your actual code"/"scan all") and uses those third‑party, user‑authored files to drive gap detection, teaching examples, and downstream decisions, which exposes the agent to untrusted external content that could contain indirect prompt-injection payloads.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly calls the GitHub API at runtime (e.g., gh api /repos/{owner}/{repo}/contents/package.json and gh api /repos/{owner}/{repo}/git/trees/HEAD?recursive=1 → https://api.github.com/repos/{owner}/{repo}/...), fetching repo file contents that are then used to drive gap detection and to generate/bind lesson prompts and examples, so external content fetched at runtime can directly influence the agent's prompts.