triage

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly uses the gh CLI to fetch and read GitHub issue and PR bodies, comments, diffs and files (e.g., "$GH issue view ...", "$GH pr view ...") — user-generated, untrusted content that the agent parses and uses to decide classifications, propose/implement fixes, and craft comments, so third-party text can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes git/gh at runtime (extracting the repo URL such as git@github.com:owner/repo.git or https://github.com/owner/repo.git and calling GitHub via gh which hits api.github.com) to fetch issue and PR bodies that are injected into the agent's context and therefore directly control prompts/instructions.