gitops-workflows

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs fetching and using public third‑party content (e.g., kubectl apply -f https://raw.githubusercontent.com/argoproj/argoproj/argo-cd/v3.1.9/manifests/install.yaml and GitRepository/OCIRepository entries pointing at public GitHub/ghcr.io repos such as https://github.com/argoproj/argocd-example-apps.git and oci://ghcr.io/...), so the agent's workflow causes it or the deployed controllers to ingest untrusted, user/third‑party content that can materially affect actions and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes explicit runtime commands that fetch and execute remote content—e.g., "curl -s https://fluxcd.io/install.sh | sudo bash" and "kubectl apply -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.9/manifests/install.yaml"—so these external URLs are used at runtime to execute remote code/manifests.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly suggests running a remote installer with "curl -s https://fluxcd.io/install.sh | sudo bash", which asks for sudo privileges and would modify the host system, so it should be flagged.