github-copilot

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to call GitHub REST API endpoints (e.g., GET https://api.github.com/orgs/your-org-name/copilot/billing and the copilot/metrics endpoints) to fetch organization and user-generated data (usernames, activity, metrics) that the agent is expected to read and which can drive actions like adding/removing seats, so untrusted third‑party content could materially influence behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for managing Copilot subscriptions and billing: it provides authenticated API endpoints to view billing information and to add/remove users or teams from a paid Copilot subscription (POST/DELETE to copilot/billing/selected_users and selected_teams). Those operations directly change subscription seat counts and therefore affect billing/charges. This is a specific financial-management capability (subscription/billing modification), not a generic API or browser automation, and requires billing-related permissions (manage_billing:copilot).