gitops-workflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md directs fetching and acting on public third‑party content (e.g., applying the ArgoCD install manifest from https://raw.githubusercontent.com/... and using Git/GitHub MCP with repo URLs like https://github.com/org/gitops-repo and Flux/GitRepository URLs), so the agent is expected to read and act on untrusted public repo/page content that can change tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill contains runtime installation and GitOps references that fetch and execute remote content — notably "curl -s https://fluxcd.io/install.sh | sudo bash" (executes remote code), "kubectl apply -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml" (fetches and applies remote manifests), and Git repo URLs like "https://github.com/org/gitops-repo" and "https://github.com/org/my-app" which ArgoCD/Flux will pull at runtime to control deployed resources.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt includes explicit privileged installation commands (e.g., "curl -s ... | sudo bash") that ask the agent/user to run sudo and thus request elevated privileges that can modify the host system, so it pushes actions that can compromise the machine state.