orchestrate

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly fetches and acts on public GitHub PR data (see verify-complete.sh and the poll/verification workflow using gh pr view, gh pr checks, and gh api graphql to read review threads, PR diffs, and CI results), treating untrusted, user-generated content as input that directly governs re-briefing, approvals, and recycling decisions—creating a clear avenue for indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill instructs the agent to perform many persistent system-state changes (creating tmux windows, checking out branches, running/restarting processes, writing and moving state files, running Docker tests, and using "--permission-mode bypassPermissions"), which can modify and disrupt the host environment even though it doesn't request sudo, create users, or edit system-level configs.