implementing-sigstore-for-software-signing

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The agent fetches and parses public, user-submitted Rekor transparency log data (e.g., scripts/agent.py functions search_rekor_by_hash and get_rekor_entry which POST/GET to https://rekor.sigstore.dev/api/...) and the SKILL.md/workflow uses those returned entries to drive audit checks and verification decisions, so untrusted third‑party content can materially influence behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt instructs installing Cosign with a command that uses sudo to move a binary into /usr/local/bin (modifying system files requiring elevated privileges), which encourages actions that change the host system state.