buildkite-pipelines

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly documents dynamic pipeline generators and the "handler pattern" that run repository scripts, clone external repos, download artifacts, and call external APIs (see references/dynamic-pipeline-patterns.md and the SKILL.md dynamic pipelines/handler sections) and even warns that forked PRs can modify .buildkite/, meaning untrusted, user-provided third‑party content can be ingested and directly influence pipeline uploads and agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes a runtime example that clones and executes remote code—"git clone git@github.com:example-org/infra-repo.git /tmp/infra" followed by "python /tmp/infra/pipeline-generator/generate.py | buildkite-agent pipeline upload"—so the repository URL (git@github.com:example-org/infra-repo.git) is fetched at runtime and its code directly generates/executesthe pipeline steps.