DORA Metrics and DevOps Performance

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill clearly ingests untrusted, user-generated content from GitHub and incident systems (see .github/workflows/dora-metrics.yml and scripts/collect-dora-metrics.ts which call GitHub APIs to read workflow runs, PRs and issues, and mentions PagerDuty/OpsGenie), and those inputs are used to compute metrics and drive recommendations—so third‑party content can materially influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The GitHub Actions workflow includes marketplace action references that are fetched and executed at runtime (e.g., actions/checkout@v4, actions/github-script@v7, actions/upload-artifact@v4), which constitute external repositories whose code runs during workflow execution.