zenmux-feedback

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow (Step 0b in SKILL.md and scripts/update-references.sh) explicitly clones/updates the public ZenMux GitHub repo and reads its .github/ISSUE_TEMPLATE/*.yml files (and fetches labels via gh label list), so the agent ingests and acts on open/public repository content which can materially influence issue composition and label decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill runs scripts at runtime (scripts/update-references.sh and scripts/get-doc-tree.sh) that clone/pull and read the external Git repository https://github.com/ZenMux/zenmux-doc.git, and those fetched issue-template files are explicitly used as the "source of truth" to control issue composition and prompt behavior, so this external content directly controls agent instructions.