Prompt template substitution is insecure #117
Description
The way that template string substitution is implemented is fragile and insecure. I would expect it to behave like GitHub Actions substitution where it is applied to the parsed values, but instead it is applied directly to the file before parsing. This means that any YAML formatted-values in the substitution is parsed along with the rest of the prompt file.
At best this means that it is very easy to end up with syntax errors, but at worst it means input could completely change the generated prompt metadata, including changing models, system prompts etc. It is very easy to end up with untrusted content in there where, for example, it reads files from a PR or the contents of an issue.