plan-issue-tree

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill reads GitHub issue content via the gh CLI and scripts (e.g., gh issue list / gh api in scripts/read-tree.sh) and the references/issue-body-template.md explicitly states issue bodies "double as a subagent prompt" that run-issue-plan reads to generate agent dispatches, so arbitrary public/user-generated GitHub issue text can directly influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill fetches issue bodies at runtime from GitHub using the gh API (e.g., gh api "repos/$REPO/issues/$ISSUE" — https://api.github.com/repos/OWNER/REPO/issues/ISSUE), and those fetched issue bodies are explicitly used as subagent prompts that drive agent dispatches, so remote content directly controls prompts and is a required dependency.