devops-pipeline

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's required workflow creates and installs .pre-commit-config.yaml hooks (references/precommit-configs.md) and GitHub Actions workflows (references/github-actions.md) that reference public GitHub repos/actions and explicitly instruct running pre-commit (pre-commit install / pre-commit run --all-files), which will fetch and execute untrusted third‑party code that could influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill supplies .pre-commit-config.yaml and GitHub Actions templates that reference external repositories which are fetched and executed at runtime (e.g., https://github.com/pre-commit/pre-commit-hooks and uses: actions/checkout@v4), so remote code/repos will be downloaded and run as required dependencies.