implementing-supply-chain-security-with-in-toto

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and acts on untrusted third‑party content: SKILL.md's "Record Pipeline Steps" instructs a git clone of a public GitHub repo (https://github.com/...) as part of the pipeline, and scripts/agent.py issues requests.get calls to arbitrary --target URLs (/api/v1/status and /api/v1/compliance) and interprets the returned JSON to produce findings and decide risk/behavior, meaning external, user-controlled content can materially influence decisions and tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's CI example runs a runtime checkout "git clone https://github.com/org/app.git" which fetches remote repository content that is then built (docker build) and thus can execute remote code the pipeline depends on, so it meets the criteria for a risky external URL.