autonomous-common

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and parses user-generated GitHub content (e.g., via gh api / graphql in hooks/verify-completion.sh, scripts/mark-issue-checkbox.sh, scripts/resolve-threads.sh and related hooks) and uses that content to make workflow decisions (block/unblock completion, count unresolved review threads, display comment excerpts), so untrusted third-party content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The hooks (e.g., verify-completion.sh) call the GitHub GraphQL API at https://api.github.com/graphql (via gh api graphql) at runtime and inject fetched PR review comment text into the generated systemMessage, thereby allowing remote GitHub content to directly influence agent prompts.