terraform-provider-upgrade

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow (SKILL.md) explicitly instructs the agent to call resolveProviderDocID/getProviderDocs and fetch upgrade guides and resource docs from public sources (e.g., the Terraform Registry and linked GitHub release notes) and to analyze them to drive migration decisions, which exposes the agent to untrusted third‑party web content that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill makes runtime calls (resolveProviderDocID / getProviderDocs) to fetch provider upgrade guides and docs (e.g., https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/4.0-upgrade-guide), and that external documentation is used to drive migration instructions and code changes, so external content fetched at runtime directly controls the agent's behavior.