devops-pipeline

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow and config templates (e.g., .pre-commit-config.yaml entries in SKILL.md/references/precommit-configs.md and GitHub Actions templates using actions like pre-commit/action@v3.0.1 and codecov in references/github-actions.md) instruct running tools that will fetch and execute code from public GitHub repositories (untrusted user-generated content) as part of the pre-commit/CI workflow, which can materially affect tool behavior and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill’s templates install and run external pre-commit hooks and GitHub Actions which will fetch and execute remote code at runtime (e.g., the pre-commit hook repo https://github.com/pre-commit/pre-commit-hooks and the CI action reference pre-commit/action@v3.0.1), so these URLs represent runtime-executed external dependencies.