infra-deploy

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill registers and interacts with Cal.com webhooks (POST to https://api.cal.com/v1/webhooks) and explicitly queries the deployed WEBHOOK_RELAY_URL (curl "$WEBHOOK_RELAY_URL"), which means it ingests public, user-generated webhook payloads from the open internet (booking events) that are parsed/checked and drive actions (notifications/health checks), exposing the agent to untrusted third‑party content that could inject instructions indirectly.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill pulls and runs a remote container image at runtime (docker-compose uses image "calcom/cal.com:latest" and the Cloud Run image reference "${CALCOM_GCP_REGION}-docker.pkg.dev/${CALCOM_GCP_PROJECT}/calcom/calcom:latest"), which causes execution of remote code fetched from external registries.