moai-security-devsecops

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's workflows and examples (SKILL.md Level 2 "OWASP ZAP Automated Scanning" and the ZAP Python code in examples.md) explicitly run spider/active scans against arbitrary target URLs and ingest ZAP alert data (descriptions/solutions) which are then used to drive build gates and create Jira issues, meaning untrusted public web content is fetched and parsed and can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The SonarQube GitHub Actions example explicitly downloads and runs a remote binary at runtime from https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.1.0.4477-linux.zip, which fetches and executes remote code as a required dependency.