diff --git a/.changeset/patch-fix-unsafe-quoting-frontmatter-import-directive.md b/.changeset/patch-fix-unsafe-quoting-frontmatter-import-directive.md
new file mode 100644
index 00000000000..285382e8f4b
--- /dev/null
+++ b/.changeset/patch-fix-unsafe-quoting-frontmatter-import-directive.md
@@ -0,0 +1,7 @@
+---
+"gh-aw": patch
+---
+
+Security Fix: Unsafe Quoting in Import Directive Warning (Alert #8)
+
+Fixed unsafe string quoting in the `processIncludesWithVisited` function that could lead to potential injection vulnerabilities. The fix applies Go's `%q` format specifier to safely escape special characters in deprecation warning messages, replacing the unsafe `'%s'` pattern. This addresses CodeQL alert #8 (go/unsafe-quoting) related to CWE-78 (OS Command Injection), CWE-89 (SQL Injection), and CWE-94 (Code Injection).
diff --git a/pkg/parser/frontmatter.go b/pkg/parser/frontmatter.go
index 3f737dbed92..4cda24e45d1 100644
--- a/pkg/parser/frontmatter.go
+++ b/pkg/parser/frontmatter.go
@@ -517,9 +517,15 @@ func processIncludesWithVisited(content, baseDir string, extractTools bool, visi
 		if directive != nil {
 			// Emit deprecation warning for legacy syntax
 			if directive.IsLegacy {
-				fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("Deprecated syntax: '%s'. Use '{{#import%s %s}}' instead.",
+				// Security: Escape strings to prevent quote injection in warning messages
+				// Use %q format specifier to safely quote strings containing special characters
+				optionalMarker := ""
+				if directive.IsOptional {
+					optionalMarker = "?"
+				}
+				fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("Deprecated syntax: %q. Use {{#import%s %s}} instead.",
 					directive.Original,
-					map[bool]string{true: "?", false: ""}[directive.IsOptional],
+					optionalMarker,
 					directive.Path)))
 			}