copilot-spaces

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to call mcp__github__get_copilot_space to load a space's full content (documentation, code, custom instructions) and to proactively fetch external GitHub issues, repos, dashboards, and discussions referenced by the space — all user-generated/untrusted third‑party content the agent is expected to read and treat as directives.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes the Copilot Spaces API at runtime (e.g., gh api users/{username}/copilot-spaces/{number}) and loads a space's "general_instructions"/custom instructions which the agent is explicitly told to treat as directives, so remote content fetched from that URL can directly control agent prompts.