autonomous-coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The workflow fetches issue title and body from an outsider-authored issue via gh issue view ... --json title,body or glab issue view ... --output json, and then uses that free-form body as implementation instructions in the agent’s LLM context (indirect prompt injection risk).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). This skill calls gh/glab at runtime to fetch issue title/body from the repo remote (derived from the origin URL such as https://github.com/owner/repo.git or git@github.com:owner/repo.git and similarly on gitlab.com) and then uses the issue body as the implementation instructions, so remote content on github.com/gitlab.com directly controls the agent's behavior.