coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md) explicitly instructs cloning and fetching public GitHub repositories and PRs (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR" and "codex review ..."), which means the agent will ingest untrusted, user-generated code and PR content from the open web and act on it (review, run, or commit), enabling indirect prompt-injection via those third-party files.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). index.js makes a runtime HTTPS call to the Google Gemini endpoint (https://generativelanguage.googleapis.com/v1/models/gemini-3.1-pro:generateContent) and directly uses the returned text (result.candidates[0].content.parts[0].text) as the agent's generated code/output, so the external response controls the agent's instructions and is a required dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt does not explicitly ask for sudo, user creation, or editing system configs, but it repeatedly encourages running unsandboxed/elevated agents (e.g. --yolo, elevated:true, host execution) and running arbitrary install/command sequences that can modify the host state, so it meaningfully pushes the agent toward compromising the machine.