GitHub Agentic Workflows Security Architecture

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly grants the agent network access and shows runtime examples that call external URLs (e.g., await fetch(url); allowed egress endpoints like registry.npmjs.org and pypi.org, and mentions a web_search tool in config and pre-commit checks), which means the agent can fetch and read untrusted public third‑party content that could influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The GitHub Actions workflow specifies a runtime container image (ghcr.io/github/copilot-agent-sandbox:latest) which will be pulled and executed during workflow runtime, making it an external dependency that runs remote code and is required for the skill's execution.