github-conversation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the skill explicitly instructs the agent to read GitHub PR/issue timelines, comments, and review threads using gh-llm commands (e.g., "gh-llm pr view", "timeline-expand", "issue view" in the "Reading workflow" and related sections), which are untrusted user-generated content that the agent must interpret to decide replies and write actions, creating a clear prompt-injection risk.