skills/mergifyio/mergify-cli/mergify-merge-queue/Snyk

mergify-merge-queue

Warn

Audited by Snyk on Apr 24, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.80). The SKILL.md workflow requires running mergify CLI commands (e.g., "mergify queue status" and "mergify queue show") that fetch live PR and CI data from Mergify/GitHub (user-generated, third‑party content) which the agent is expected to read and use to decide actions like pausing/unpausing or debugging.

Issues (1)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Apr 24, 2026, 11:08 PM

Issues

1

Security Audit — snyk — mergify-merge-queue