pre-commit-setup

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's provided .pre-commit-config.yaml templates (e.g., assets/templates/pre-commit-config-multi-language.yaml and assets/templates/pre-commit-config-minimal.yaml) include many external GitHub repo URLs (for example https://github.com/pre-commit/pre-commit-hooks and https://github.com/gitleaks/gitleaks) that the pre-commit tool will fetch and execute as hooks, meaning untrusted third-party code/content is ingested and can materially affect actions and outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill writes a .pre-commit-config.yaml that includes remote hook repos (for example: https://github.com/pre-commit/pre-commit-hooks and https://github.com/gitleaks/gitleaks), and those URLs are fetched at runtime by pre-commit to download and execute hook code, so they are runtime external dependencies that run remote code and control the behavior of the agent's commit-time checks.