slo-investigate

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the agent to extract runbook/dashboard URLs from SLO annotations and, if a GitHub URL is found, to fetch the runbook content via gh api (and handle raw.githubusercontent.com links), meaning it ingests and acts on arbitrary public GitHub/runbook content that could be untrusted and influence next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs fetching runbook content at runtime from GitHub (e.g., via gh api /repos///contents/ and raw.githubusercontent.com URLs) and decoding/injecting that content into the agent output, which means external content would directly control prompts/instructions.