bitbucket-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to fetch and read user-generated Bitbucket content (e.g., BITBUCKET_GET_PULL_REQUEST, BITBUCKET_GET_PULL_REQUEST_DIFF, BITBUCKET_LIST_ISSUES and related endpoints) and then act on that content (create comments, branches, PRs, issues), meaning untrusted third-party content can influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill requires adding and contacting the MCP server at https://rube.app/mcp at runtime to retrieve tool schemas and manage RUBE_SEARCH_TOOLS/RUBE_MANAGE_CONNECTIONS, so fetched content from that URL can directly control the agent's available instructions and behavior.