coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs cloning and fetching public GitHub repositories and PR refs (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR" and "git fetch origin '+refs/pull/*/head:...'" in SKILL.md) and then runs coding agents (codex/claude/pi) in those workdirs, so untrusted user-generated repo/PR content is read and can materially influence agent actions (reviews, builds, commits, notifications).