coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md explicitly instructs cloning and reviewing public GitHub repos (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR" and running codex review on PRs), which causes the agent to fetch and interpret untrusted, user-generated third-party content that can influence actions like reviews, commits, and pushes.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs a runtime git clone (git clone https://github.com/user/repo.git) to provide the workspace the coding agent will operate on, so fetched repository contents become runtime input that directly control the agent's context/actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt explicitly encourages running coding agents on the host and disabling sandboxing (e.g., the "elevated" option and the "--yolo" flag described as "NO sandbox, NO approvals"), which enables arbitrary host-level commands and effectively bypasses security boundaries even though it doesn't explicitly request sudo or user creation.