motoko-github-ci-workflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's required CI workflow steps explicitly fetch and install third-party artifacts (e.g., npm installs, external GitHub Actions like caffeinelabs/setup-mops and dfinity/setup-dfx, and the "Get didc" step that curls the GitHub Releases API and downloads a released binary), which pulls untrusted public content at runtime that can materially change build/test behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The workflow includes a runtime curl that downloads and installs a remote binary which is then executed (https://github.com/dfinity/candid/releases/download/$release/didc-linux64), meaning remote content is fetched at runtime and executed.