GitHub Agentic Workflows Operations

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's frontmatter and Skill 6 "Import Reusable Agents & Skills" explicitly instruct the system to download and use imports like "owner/repo/.github/...@ref" (e.g., public GitHub repositories such as thomast1906/...) which are arbitrary third‑party, user‑generated content that the agent is expected to read and apply to its workflow, so external content can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill configures MCP servers that are pulled and executed at runtime from external registries (thus fetching and running remote code), e.g. the container images "hashicorp/terraform-mcp-server:0.3.3" and "mcr.microsoft.com/azure-sdk/azure-mcp:latest", which are required runtime dependencies that execute remote code.