codex-git

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests and analyzes user-generated GitHub content (e.g., "gh pr view ... --json comments > pr-comments.json" and CI steps that "Analyze this PR" / review commits and PR comments), which are public/third-party and read by the agent as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). While the skill focuses on repository-level git operations (which are generally safe), it repeatedly instructs using a "--dangerously-bypass-approvals-and-sandbox" flag and profiles that disable approvals/sandboxing, effectively encouraging bypass of agent security controls even though it does not request sudo, create users, or modify system-level config files.