cloudflare-sandbox

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and clones arbitrary public repositories (e.g., sandbox.gitCheckout(repoUrl, ...) in the CI/CD and AI-agent patterns) and accepts/executess user-supplied code from request bodies (e.g., { code, language } = await request.json()), so it ingests untrusted third‑party/user-generated content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly performs runtime git checkouts of external repositories (e.g., https://github.com/user/repo) via sandbox.gitCheckout, which fetches remote code at runtime that can be executed in the container and thus directly affects execution behavior.