coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflows and scripts explicitly instruct the agent to checkout and review GitHub PRs (e.g., "gh pr checkout " and "timeout 600s codex review --base ") and to act on repository/PR content, which are user-generated/untrusted third‑party inputs that the agent will read and use to decide and perform follow-up actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly advocates "permission bypass" and CLI flags like --yolo and --dangerously-skip-permissions to run agent CLIs with full autonomy (no prompts), which encourages bypassing security mechanisms and enables arbitrary state-changing commands on the host.