coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill actively clones and fetches public GitHub repositories and PR refs (e.g., "git clone https://github.com/user/repo.git", "git fetch origin '+refs/pull/*/head:...'", and running codex review/git diff on PRs), which causes the agent to ingest and interpret untrusted, user-generated content from third-party websites.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly encourages running coding agents unsandboxed (e.g., the --yolo flag and an "elevated" host mode), runs arbitrary shell commands (install/build/push) in user workdirs, and even shows examples that auto-approve and notify the host — while it doesn't literally instruct "run sudo" or "create users," the guidance to disable sandboxes and run on the host meaningfully pushes the agent toward compromising machine state.