create-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly clones and reads arbitrary repositories and uses public MCP servers (see "Default Configuration" clone section and the "Multi-Stage Agent" example in references/agent-examples.md with clone: username/test-repo and GitHub MCP URLs), meaning it ingests untrusted user-generated code/PR content which the agent must interpret and then take actions (generate tests, create PRs, post comments), so third-party content could materially influence its behavior and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly pulls and runs an external container image (pkg.harness.io/vrvdt5ius7uwygso8s0bia/harness-agents/claude-code-plugin:main) at runtime and configures MCP endpoints used during execution (e.g., https://api.githubcopilot.com/mcp/ and example ngrok MCP URLs) which are runtime dependencies that execute remote code or enable remote control of agent actions.