claude-code-action

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly ingests user-generated GitHub issue/PR comments as prompts (see "Interactive (PR/Issue mentions)" in SKILL.md and inputs.md: "If not set, Claude uses the triggering comment/issue body"), which are untrusted third-party contents that can directly drive edits, PRs, and other agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The workflow explicitly uses external GitHub actions fetched and executed at runtime — notably "uses: anthropics/claude-code-action@v1" (github.com/anthropics/claude-code-action) and also "uses: actions/github-script@v7" — which pull remote code that runs in the workflow and can control prompts/agent behavior.