github-copilot-cli-expert

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill's workflow explicitly lets the CLI browse and load custom agents and MCP server configs from repository or user locations (see "/agent Browse and select custom agents" and "Custom agent locations: ~/.copilot/agents/, .github/agents/") and includes commands/settings that permit fetching URLs and external MCP servers ("/mcp add", "URL permissions: All URLs require approval" and "--allow-all-urls"), meaning untrusted, user-generated third‑party content can be ingested and influence agent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly encourages granting the Copilot CLI broad permissions (e.g., --allow-all-tools, --allow-all-paths/urls, --allow-tool 'shell(...)') and describes where config/trusted folders and MCP/agent files live, which effectively guides bypassing tool prompts and granting filesystem/command access that can let an agent modify system state or sensitive files.