sealevel-guard-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's resolver (scripts/resolve-program-address.mjs) fetches verified-build metadata and may download public GitHub repositories (via GitHub search and codeload URLs), and the specialist runner (scripts/run-specialists.mjs) then reads and feeds that downloaded source bundle into specialist prompts (including the codex runtime), so untrusted, user-hosted repository content from GitHub/verify.osec.io is ingested and can directly influence automated findings and recommendations.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The resolver fetches verified metadata from https://verify.osec.io/status and then downloads and extracts source tarballs from https://codeload.github.com/... at runtime, and those fetched code files are injected into specialist bundles and model prompts (codex), so remote content can directly control the agent's prompts.