debugging-workflows

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly uses the GitHub CLI to fetch and parse workflow runs, job logs, artifacts, and agentic-workflow markdown (e.g., "gh run list/view/download", "gh aw audit", and the download-workflow-logs.ts / download-workflow-summary.ts scripts), which pulls user-generated content from arbitrary GitHub repos and logs that the agent is expected to read and use to diagnose and take follow-up actions—exposing it to untrusted third-party content that could carry indirect prompt-injection instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill includes explicit sudo commands (e.g., "sudo awf ..."), Docker/container and iptables-related operations, and instructions that access host files and start services — all of which require elevated privileges and can modify the machine's state.