copilot-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests public, user-generated content (e.g., Workflow 3 "Issue-to-PR Automation" in references/pr-workflow.md reads ISSUE_TITLE and ISSUE_BODY from GitHub issues and passes them into copilot prompts, and options like --allow-url/--allow-all-urls and GitHub MCP tool integration allow fetching arbitrary public web/GitHub content), so the agent will read and act on untrusted third-party content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly encourages granting broad, autonomous permissions (e.g., --allow-all, --allow-all-paths, --yolo, allow-all-tools and shell tool usage) which enable the agent to run arbitrary shell and file-modifying operations that can change system state even though it doesn't explicitly instruct sudo or user-creation.