loop-ops

Warn

Audited by Snyk on Jul 4, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (medium risk: 0.65). The runtime LLM context is built from the loop’s own run.md/STATE.md plus tool outputs from allowed connectors (e.g., gh pr list/view/comment), which are outsider-authored PR titles/comments and other third-party text that the agent reads and thus can carry prompt-injection payloads.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). The optional GitHub Actions scheduler in assets/examples/pr-watch/github-actions.yml fetches and runs remote code at tick time (it uses actions/checkout which downloads https://github.com/actions/checkout and runs npm i -g @anthropic-ai/claude-code which pulls code from the npm registry, e.g. https://registry.npmjs.org/@anthropic-ai/claude-code) — this installs/executes external software that provides the 'claude' CLI used to run agent prompts, so it is a runtime-fetch that executes remote code.

Issues (2)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 4, 2026, 07:00 PM
Issues
2
Security Audit — snyk — loop-ops