run-issue-plan

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests GitHub issue bodies, comments, and sub-issues via gh CLI and gh api (see SKILL.md workflow steps, references/subagent-dispatch.md prompt template, and scripts/read-tree.sh), and it uses those verbatim user-generated contents to assemble prompts that drive subagent behavior, which could allow indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill uses runtime GitHub API calls that fetch issue bodies and sub-issue lists (e.g., gh api "repos/$REPO/issues/$ISSUE" and gh api "repos/$REPO/issues/$ISSUE/sub_issues"), and that fetched content is injected verbatim into generated subagent prompts so external content directly controls agent instructions and is required for operation.