implementing-semgrep-for-custom-sast-rules

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly allows using Semgrep Registry configs (e.g., SKILL.md "Use Semgrep registry rules" and references/CLI examples like --config p/python or r/python.lang.security) which are public, community-hosted rule packs that the agent.py can fetch at runtime via --config and then parses rule-provided messages/severity/metadata (see scripts/agent.py parse_findings and risk_level computation), so untrusted third-party rule content can influence reported severities and the agent's risk-level/outputs.