moai-workflow-ci-autofix

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly fetches failed CI logs and PR diffs via scripts/ci-autofix/log-fetch.sh (driven by the Wave 2 handoff JSON's runId/logUrl, e.g., GitHub Actions URLs) and injects the resulting untrusted, user-generated log_and_diff_content into the manager-quality subagent prompt/workflow to produce patches/diagnoses that directly influence actions, creating a path for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The orchestrator passes the handoff's logUrl (e.g., "https://github.com/.../actions/runs/12345678") / runId into scripts/ci-autofix/log-fetch.sh at runtime, the fetched CI log + PR diff are injected into the manager-quality subagent prompt as "Failed CI Log + PR Diff" (i.e., external content fetched at runtime directly controls model input), and the skill depends on that content for classification and patch generation.