implementing-supply-chain-security-with-in-toto

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and processes content from public third‑party sources (e.g., "git clone https://github.com/org/app.git" in SKILL.md Step 3 and CI/GitHub Actions examples) and the agent scripts read and act on link metadata, vulnerability reports, SBOMs, and in-toto verification results (scripts/agent.py and scripts/process.py), which are untrusted/user-generated inputs that can materially influence verification outcomes and deployment decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The CI step runs "git clone https://github.com/org/app.git" under in-toto-run at runtime, which fetches remote source that is subsequently built/executed (e.g., docker build), so the URL directly results in executing remote code during the skill's runtime.