gh-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — SKILL.md explicitly documents commands that fetch and act on public, user-generated GitHub content (for example "gh extension install owner/extension-repo", "gh repo clone owner/repo", "gh gist view", and "gh api /..."), meaning the agent would ingest untrusted third-party pages/repos/gists whose content could materially influence subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt contains explicit installation commands using sudo that write to system locations (e.g., /usr/share/keyrings and /etc/apt/sources.list.d) and run apt install, which require elevated privileges and modify the machine state.