coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to clone and fetch GitHub repos/PR refs (e.g., "git clone https://github.com/user/repo.git" and "git fetch origin '+refs/pull/*/head:...'" and then run coding agents to review PRs), which means the agent will ingest untrusted, user-provided code/PR content from public third-party sources and act on it (reviews, commits, pushes), enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime examples explicitly run git clone https://github.com/user/repo.git and then invoke Codex/agent commands in that cloned directory, so remotely fetched repository contents would be used at runtime to shape prompts or introduce executable code into the agent's environment.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly encourages running coding agents unsandboxed (e.g., the --yolo flag and an "elevated" host mode), runs arbitrary shell commands (install/build/push) in user workdirs, and even shows examples that auto-approve and notify the host — while it doesn't literally instruct "run sudo" or "create users," the guidance to disable sandboxes and run on the host meaningfully pushes the agent toward compromising machine state.