coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs cloning and fetching public GitHub repositories and PRs (e.g., "git clone https://github.com/user/repo.git", "git fetch origin '+refs/pull/*/head:...'", "gh pr checkout") and then runs coding agents in those workdirs, so the agent will ingest and act on untrusted, user-generated content from the open web.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes a runtime git clone command (git clone https://github.com/user/repo.git $REVIEW_DIR) which fetches remote repository contents that the coding agent (e.g., Codex) will read and act on, meaning external code/data from that URL can directly influence prompts, reviews, and executed actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt explicitly encourages running agents unsandboxed (flags like --yolo and an "elevated" host mode) and launching background processes with full host access, which enables bypassing sandboxing and potentially modifying the machine state even if it doesn't directly instruct sudo, user creation, or editing system service/SSH files.