analyze-test-run

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill downloads artifact ZIPs at runtime from the temporary download URL returned by actions_get/download_workflow_run_artifact (the GitHub artifact blob URL returned by the MCP tool), and then parses files like agent-metadata-*.md and SKILL-REPORT.md whose contents (including the test prompt strings) are injected into reports and issue bodies—i.e., external runtime-fetched content directly controls prompts/analysis.