wjs-publishing-testflight

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The GitHub Actions workflow fetches and executes remote actions (uses: actions/checkout@v6 and ruby/setup-ruby@v1), installs gems from https://rubygems.org, and at runtime fastlane/match will clone the certs repo (git_url: https://github.com/jianshuo/YOUR_APP-certs.git), all of which are required during execution and involve fetching/executing remote code or runtime content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The prompt includes a GitHub Actions step that runs "sudo xcode-select -s /Applications/Xcode_26.2.app", which instructs performing a system-level change requiring elevated privileges (modifies global Xcode selection), so it asks the agent/CI to run a privileged command that alters machine state.