automate-whatsapp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's remote sandbox workflow (see "Set up agent node with remote sandbox repositories" in SKILL.md and references/agent-remote-sandbox.md, plus assets/agent-remote-sandbox-github-repo-example.json) explicitly mounts GitHub repositories into /workspace/repos/ for the agent to "inspect" and "read the README and relevant service files before proposing changes," which means the agent will fetch and interpret untrusted/public third‑party (GitHub) content that can directly influence its subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's remote sandbox feature explicitly clones configured GitHub repositories at runtime (example repo_url: https://github.com/acme/acme-app) and the agent system_prompt in the example instructs the agent to read the mounted repo while the sandbox exposes tools like bash (allowing execution), so remote repo content can directly control prompts or lead to code execution.