cloudflare-sandbox

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts and clones arbitrary public repository URLs and runs their code (e.g., sandbox.gitCheckout(repoUrl) and subsequent sandbox.exec calls shown in templates/ci-cd.ts, templates/workspace.ts, patterns.md and SKILL.md where repoUrl is supplied via POST/webhook), so untrusted, user-generated content from third‑party sites (GitHub/URLs) is ingested and can directly influence tool execution.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly performs runtime git checkouts (e.g., sandbox.gitCheckout('https://github.com/user/repo', '/workspace/repo')) and then runs commands like npm install / npm run build, meaning remote repository content fetched at runtime can execute code inside the sandbox (flagging https://github.com/user/repo as a runtime-executed external dependency).