vulnerability-resolver

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow explicitly downloads and parses dependency-check report artifacts (e.g., "gh run download -n 'Depcheck report'") and tells the agent to read CVE details and external sources (NVD, GitHub Advisory, nuget.org) to decide fixes vs suppressions, so public third‑party content is ingested and can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill instructs running the repository's GitHub Actions workflow (e.g., via "gh workflow run cve-scanning.yml"), and that workflow explicitly uses the external action dependency "uses: dependency-check/Dependency-Check_Action@1b5d19fd4a32ff0ff982e8c9d8e27dbf7ac8a46c" which will fetch and execute remote code at runtime, so this external GitHub Action is a runtime-executed dependency.