hosted-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests untrusted user-generated content — e.g., Slack thread messages (handle_mention + classify_repository), arbitrary repository contents cloned via git in ImageBuilder/sandbox setup, and DOM extracted by the Chrome extension content-script — and the agent reads and acts on that content (classifying repos, running prompts in sandboxes, making commits/creating PRs), so third-party instructions could materially influence tool use and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime build and sandbox code explicitly clones repositories using URLs like "https://x-access-token:{token}@github.com/{repo_url}" and then runs commands (npm install, npm run build, tests, dev servers), which fetches remote code and executes it in the sandbox, so the git clone URL pattern is a runtime dependency that can directly cause execution of remote code.