coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — SKILL.md explicitly instructs cloning and fetching public GitHub repositories and PR refs (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR" and "git fetch origin '+refs/pull//head:refs/remotes/origin/pr/'") and then running coding agents (codex/claude/pi) to read, review, modify, and post results, so untrusted, user-generated third‑party content is ingested and can directly influence tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs cloning and running against a remote repository at runtime (git clone https://github.com/user/repo.git), which will fetch external code that the agent reads to form prompts/decisions and may be installed/executed (e.g., pnpm install), so the fetched content can directly control agent behavior and execute remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly encourages bypassing sandboxing and permission checks (e.g., --permission-mode bypassPermissions, --dangerously-skip-permissions, --yolo, and an "elevated" host option) and instructs running agents on the host with PTY/background control, which enables the agent to modify the machine state and evade safety controls.