github-agentic-workflows

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to read and act on public, user-generated GitHub content (e.g., "gh issue view", "gh pr list", reading issue titles/bodies, and fetching files via raw.githubusercontent.com) and to use web-search, which exposes it to untrusted third-party content that can influence actions like labeling, commenting, and creating PRs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The workflow includes a runtime action "uses: github/gh-aw@v1" (https://github.com/github/gh-aw) which GitHub Actions will fetch and execute at workflow runtime and that action implements the agent runtime that controls prompts and runs code, so it is a required remote dependency.