golang-continuous-integration

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to "search the internet for the latest stable major version of each GitHub Action" (SKILL.md → "Action Versions"), which requires fetching public third‑party web pages and using their content to decide version pins when generating workflows.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The security workflow installs and runs remote code at CI runtime via "go install golang.org/x/vuln/cmd/govulncheck@latest" (and several steps use external GitHub Actions like actions/checkout@v6 which are fetched and executed), so the skill includes runtime external dependencies that execute remote code.