moai-workflow-ci-watch

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes—the skill polls GitHub via gh pr checks and emits handoff JSON including logUrl entries which the Wave 3 expert-debug flow is explicitly instructed to fetch/read (see SKILL.md, modules/ci-watch-protocol.md and modules/trigger-handoff.md), meaning untrusted, user-generated GitHub Actions logs are ingested and can drive automated debugging actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's Wave-3 handoff JSON includes external log URLs (e.g. https://github.com/modu-ai/moai-adk/actions/runs/12345678) which the expert-debug consumer is documented to fetch at runtime and inject into the spawn prompt for diagnosis, meaning remote content can directly influence agent prompts.