orchestrate-multi-target-sdks

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill permits ingesting OpenAPI specs from arbitrary URLs (see speakeasy configure sources --location https://api.example.com/openapi.yaml / the --location OpenAPI document flag), meaning the agent would read untrusted third‑party content as part of SDK generation.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The workflow uses a remote GitHub Action reference "speakeasy-api/sdk-generation-action/.github/workflows/workflow-executor.yaml@v15" (https://github.com/speakeasy-api/sdk-generation-action), which is fetched and executed at CI runtime and therefore pulls and runs remote code.