coding-agent-2

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's SKILL.md explicitly instructs cloning and reviewing public GitHub repositories (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR" and "git diff origin/main...origin/pr/86") and running coding agents on that checked-out code, which causes the agent to fetch and interpret untrusted, user-generated third-party content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The SKILL contains an explicit runtime git clone (git clone https://github.com/user/repo.git $REVIEW_DIR) which fetches remote repository content that is then used as the agent's workspace/context for Codex/other CLIs—effectively injecting external code/content into the model's input and controlling its behavior at runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly encourages running agents with a "no sandbox / no approvals" mode (--yolo) and an "elevated" host option (run on host instead of sandbox), which effectively promotes bypassing security/sandboxing and enables arbitrary changes to the machine even if it doesn't directly call for sudo or account creation.