tmdl-mastery

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md CI/CD and references/tmdl-cicd-patterns.md explicitly instruct downloading and executing public resources (TabularEditor from GitHub releases and BPA rules from raw.githubusercontent.com) as part of validation/deploy pipelines, which ingests untrusted third-party content that can change tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The CI/CD and GitHub Actions examples download and run a remote binary (TabularEditor) from https://github.com/TabularEditor/TabularEditor/releases/latest/download/TabularEditor.Portable.zip and fetch a rules file from https://raw.githubusercontent.com/microsoft/Analysis-Services/master/BestPracticeRules/BPARules.json at runtime — the former is executed and the latter directly influences the analyzer's behavior, and both are presented as required steps in the pipelines.