github-actions

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill's workflows explicitly ingest and act on user-generated GitHub content (e.g., on: pull_request triggers and actions/checkout of PRs, the "stale-issues" job using actions/stale, and the PR Checks using amannn/action-semantic-pull-request) so the agent will read and interpret untrusted third-party PR/issue content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's workflows invoke external GitHub Actions that are fetched and executed at runtime—for example aquasecurity/trivy-action referenced as aquasecurity/trivy-action@master (https://github.com/aquasecurity/trivy-action) which uses an unpinned branch and therefore pulls and runs remote code required by the workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill includes explicit commands that use sudo (e.g., "curl ... | sudo bash" to install act) which push the agent to perform privileged operations on the host, so it can compromise the machine state.