hosted-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly ingests untrusted third‑party content: it clones and reads arbitrary GitHub repositories at runtime (see git clone usages in references/infrastructure-patterns.md and scripts/sandbox_manager.py), reads Slack thread messages for context (references/infrastructure-patterns.md Slack handler), and extracts DOM from web pages via the Chrome extension content-script.ts — all of which the agent is expected to interpret and then take actions (run agents, create PRs, spawn sessions), enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill performs runtime git clones (e.g., "git clone https://x-access-token:{token}@github.com/{repo}") and executes build/test commands (npm install, npm run build, npm test) inside sandboxes, meaning external GitHub repository content is fetched at runtime and executed as a required dependency.