GitHub Actions Integration for Agentic Workflows

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The workflows clearly ingest untrusted, user-generated and public data—e.g., .github/workflows/agent-issue-triage.yml passes ISSUE_BODY and issue/comment text into python scripts/agents/issue_triage.py (and other workflows like agent-nightly-intelligence.yml pull from external APIs such as the Riksdag API and "CIA Intelligence Platform") which the agent reads/acts on to add labels, assignees, post comments, and create PRs, so third-party content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The workflow explicitly runs remote code via npx @modelcontextprotocol/gateway (installed/executed at runtime) which the agents depend on to provide MCP prompts/behavior, so the package fetch (npm registry for @modelcontextprotocol/gateway) is a runtime external dependency that can execute code and directly affect agent prompts.