coding-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the SKILL.md workflow explicitly instructs cloning and fetching GitHub repos/PRs (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR" and "git fetch origin '+refs/pull//head:refs/remotes/origin/pr/'") and then running coding agents (Codex/Claude Code) to review and modify that code, meaning untrusted, user-generated third‑party content will be read and can influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly fetches and runs external code at runtime — e.g., git clone https://github.com/user/repo.git (cloning a repository into the agent's workdir that will be used as context) and npm install -g @mariozechner/pi-coding-agent (fetches a remote CLI package that is then executed via the pi command) — so these external dependencies can directly control prompts or execute code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.40). The prompt does not explicitly ask for sudo, user creation, or editing privileged system files, but it instructs the agent to run arbitrary shell commands via exec_command (including global installs) and even encourages disabling sandbox/approval flags (--yolo, --full-auto), which meaningfully raises the risk of the agent modifying host state or bypassing safeguards.