security-scanning-security-dependencies

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly runs external dependency scanners (e.g., npm audit, safety, govulncheck, cargo audit) as shown in resources/implementation-playbook.md and the SKILL.md context, which fetch advisories from public registries and the agent parses those outputs to generate remediation plans and automation, so untrusted third‑party advisory content can materially influence decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The CI and scan steps fetch and run remote code via the Go module install "golang.org/x/vuln/cmd/govulncheck@latest", which is invoked at runtime (go install) and thus downloads and executes external code the skill depends on.