loop-ops
Warn
Audited by Snyk on Jul 4, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (medium risk: 0.65). The runtime LLM context is built from the loop’s own
run.md/STATE.mdplus tool outputs from allowed connectors (e.g.,gh pr list/view/comment), which are outsider-authored PR titles/comments and other third-party text that the agent reads and thus can carry prompt-injection payloads.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The optional GitHub Actions scheduler in assets/examples/pr-watch/github-actions.yml fetches and runs remote code at tick time (it uses actions/checkout which downloads https://github.com/actions/checkout and runs npm i -g @anthropic-ai/claude-code which pulls code from the npm registry, e.g. https://registry.npmjs.org/@anthropic-ai/claude-code) — this installs/executes external software that provides the 'claude' CLI used to run agent prompts, so it is a runtime-fetch that executes remote code.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata