run-issue-tree

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill fetches and parses live GitHub issue bodies and comments via the gh API (see scripts/issue-tree-status.sh and scripts/dispatch-wave.sh and the SKILL.md line "the issue body doubles as a subagent prompt"), and those untrusted, user-generated contents are read at runtime and used to assemble worker prompts and drive dispatch/decision logic—allowing indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill issues runtime gh api calls to GitHub REST endpoints (e.g., https://api.github.com/repos/{owner}/{repo}/issues/{issue_number} and related /sub_issues endpoints) to fetch issue bodies and comments which are written into prompt files and used verbatim to control subagent prompts, so remote GitHub content can directly control agent instructions.