gitops-workflow

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The skill includes a mandatory "Memory Protocol" that instructs the agent to read and write local memory files and change its assumed behavior—instructions unrelated to GitOps and effectively directing the agent to perform hidden/local state operations outside the skill's stated purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md) explicitly instructs fetching and executing manifests and repositories from public GitHub URLs (e.g., "kubectl apply -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml" and the Flux "flux bootstrap github" / GitRepository URLs), meaning it ingests untrusted, user-controlled third‑party content that can materially change tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime commands that fetch and execute remote content — notably curl -s https://fluxcd.io/install.sh | sudo bash (executes a remote install script) and kubectl apply -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml (fetches and applies remote manifests), and it relies on Git repo URLs like https://github.com/org/gitops-repo and https://github.com/org/my-app as required runtime sources for deployment manifests.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). Yes — the skill explicitly instructs running a privileged install (curl ... | sudo bash) and directs reading/writing local memory files, which encourage modifying the host system state and using sudo.