agent-eval

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). Outsider-authored free text is ingested when audit.sh clones the selected public GitHub repo from corpus.json and the agent reads/indexes its source files (repo body text authored by third parties) into the LLM context via CodeGraph Read/Grep results.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). corpus.json contains many GitHub repo URLs (e.g. https://github.com/excalidraw/excalidraw) that audit.sh clones at runtime into /tmp/codegraph-corpus and whose code is indexed/served to the agent, so remote content is fetched during runtime and injected into the agent's context (directly influencing prompts/outputs).