github-integration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly enables the agent to use the gh CLI to call GitHub APIs and list/view PRs, issues, and repository content from public GitHub domains (e.g., github.com, api.github.com, raw.githubusercontent.com) — untrusted, user-generated third-party sources that the agent is expected to read and act on as part of the documented workflow (see SKILL.md commands and references/cloud-auth.md).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). Flagged because the Copilot setup workflow runs at session start and includes actions referenced like "uses: actions/checkout@v4" (https://github.com/actions/checkout) which fetches and executes remote GitHub Actions code during workflow runtime and is required for the setup steps.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill directs installing the gh CLI via apt in setup scripts/SessionStart hooks (and modifying environment settings), which modifies system state and requires elevated privileges, so it encourages changes to the machine environment.