kubernetes

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md includes an ArgoCD Application spec with source.repoURL (${GIT_REPO}) and the included scripts (scripts/argocd-app-sync.sh) and GitHub Actions example explicitly drive ArgoCD/CI to fetch and apply manifests from arbitrary Git repositories, meaning untrusted third-party (public/user) content will be fetched and can materially change agent-driven actions (sync/prune/force).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The ArgoCD Application manifest references repoURL: ${GIT_REPO} (i.e., an external Git URL such as https://github.com/org/repo.git or git@github.com:org/repo.git), and running scripts/argocd-app-sync.sh or argocd app sync at runtime causes ArgoCD to fetch those remote manifests and apply them to the cluster, which effectively executes remote code and controls deployed behavior.