writing-prds

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). This is a link to an obscure/personal GitHub account (shipshitdev) rather than an official vendor or well-known project; while not a direct executable, GitHub accounts can host release binaries and unknown/small accounts are commonly used to distribute malware, so treat as suspicious.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The required runtime path “When the user says ‘plan the X PRD’” fetches the current tracker issue body (e.g., via gh issue view <N> --json body) and the planning agent reads it verbatim; if that issue body contains text authored by someone other than the operating user, it becomes outsider free text in the LLM context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs the planner to fetch PRD text from tracker issues at runtime (e.g., via gh issue view <N>), meaning external GitHub issue bodies (e.g., https://github.com/shipshitdev) are fetched during runtime and directly control the agent's prompts/output.