coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs cloning public GitHub repositories and fetching PR refs (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR" and "git fetch origin '+refs/pull//head:refs/remotes/origin/pr/'") and then running coding agents (e.g., codex exec 'Review PR #86. git diff origin/main...origin/pr/86') so the agent will read and act on untrusted, user-generated third‑party code/PR content which could contain malicious instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs git clone https://github.com/user/repo.git at runtime to provide repository contents that the coding agents (e.g., codex review) consume as their working context (and may trigger installs/commands), so remote content can directly control prompts/behavior and be executed.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly encourages running coding agents with options that remove sandboxing and approvals (e.g. --yolo, --full-auto, an "elevated" host flag), gives examples that install global packages and run arbitrary shell commands that commit/push or change files, and therefore pushes the agent toward modifying the host system state and bypassing protections.