coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly clones and fetches public GitHub repositories and PR refs (e.g., the "Reviewing PRs" quick-start shows git clone https://github.com/user/repo.git and gh pr checkout 130, and "Batch PR Reviews" uses git fetch origin '+refs/pull/*/head:refs/remotes/origin/pr/*') and then spawns local agents to read and act on that untrusted, user-generated code/PR content, which can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs git clone at runtime (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR") to fetch repository contents that are then provided to and acted on by coding agents (and may be built/installed/committed by those agents), so the fetched content can directly control agent prompts/behavior and lead to remote code execution.