sonarcloud-link-inspector

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill fetches and ingests data directly from public SonarCloud URLs/APIs (see scripts/sonarcloud_api.py calling sonarcloud.io and SKILL.md instructing the agent to use the returned "agent_summary" to guide code fixes), so untrusted third-party content can be read and can materially influence the agent's next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill performs runtime requests to SonarCloud API endpoints (e.g. https://sonarcloud.io/api/issues/search and https://sonarcloud.io/api/rules/show) and injects the returned rule descriptions and summaries into the agent's "agent_summary" guidance, so remote content directly influences agent instructions and is required for the skill to operate.