github-url-intercept

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill's SKILL.md explicitly instructs the agent to parse any github.com URL and call GitHub APIs or scripts (e.g., gh api "repos/{owner}/{repo}/pulls/comments/{id}" and get_pr_context.py) to fetch PRs, issues, files and comments — public, user-generated GitHub content that the agent reads and uses to answer questions, so it clearly exposes the agent to untrusted third‑party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). This skill automatically fetches GitHub URLs at runtime (e.g., https://github.com/owner/repo/pull/123) via local scripts or gh api and then injects the returned file/PR/comment JSON into the agent's context to answer user queries, which clearly allows externally authored content to control prompts/outputs (prompt-injection risk).