openchoreo-platform-engineer-gitops

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the agent to fetch and ingest external, public upstream docs and YAML (via ./scripts/fetch-page.sh and ./scripts/extract-resources.sh, resolving against https://openchoreo.dev/llms.txt and upstream GitHub repos like openchoreo/sample-gitops / openchoreo/openchoreo), and those fetched pages/YAML are parsed and used to drive edits (scope swaps, allowedWorkflows rewrites, runTemplate parameter edits and resource extraction) as a required part of the workflow, so untrusted third‑party content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill invokes runtime fetchers (./scripts/fetch-page.sh and ./scripts/extract-resources.sh) that pull rendered docs and raw YAML from external hosts (e.g. https://openchoreo.dev and raw GitHub sources such as https://github.com/openchoreo/openchoreo and https://github.com/fluxcd/flux2/releases/latest/download/install.yaml, plus an install script at https://fluxcd.io/install.sh), and those fetched artifacts are used to build/commit CRDs and even to apply/bootstrapping (kubectl apply -f) — meaning external content can directly drive the agent's actions or execute code.