coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow explicitly instructs cloning and fetching public GitHub repositories and PR refs (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR" and "git fetch origin '+refs/pull//head:refs/remotes/origin/pr/'") and then running coding agents in those workdirs, meaning the agent will ingest and act on untrusted, user-generated third‑party content that can influence subsequent tool actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly encourages running agents unsandboxed (flags like --yolo / --dangerously-skip-permissions and an "elevated" host mode), and shows examples that run background agents which can perform host-level actions (global installs, commits/pushes), effectively instructing the agent to bypass sandboxing and approvals and thus risking compromise of the machine state.