github-workflow-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill ingests and acts on untrusted, user-generated GitHub content — for example the "AI Review" step sends PR diffs (steps.diff outputs) to the model, the Issue Triage workflow analyzes issue.title and issue.body, and the @ai-helper mention bot extracts comment text and PR/issue context via gh pr diff / gh issue view — all of which are read by the AI and can influence labels, comments, rebases, deployments, or other actions, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The workflows call the external GitHub Action actions/github-script@v7 (https://github.com/actions/github-script) which is fetched and executed at runtime and runs remote JavaScript that constructs and sends AI prompts (and executes code), making it a required runtime dependency capable of controlling prompts/executing code.