run-issue-tree

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill reads and ingests user-generated GitHub issue bodies and comments (e.g., Execute Mode E3: "gh issue view ... --json title,body,labels,assignees,comments" and the Subagent Dispatch flow in references/subagent-dispatch.md) and explicitly uses those verbatim texts to assemble and dispatch subagent prompts, so untrusted third‑party content can materially influence tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill reads GitHub issue bodies at runtime (e.g., via commands like gh issue view NUMBER --repo "$REPO" --json title,body and gh api "repos/$REPO/issues/NUMBER/sub_issues") and uses those fetched issue bodies verbatim to assemble and dispatch subagent prompts, so GitHub-hosted issue content is an external runtime-controlled instruction source.