gha-lint
Warn
Audited by Snyk on Mar 17, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.70). The skill's CI example and usage instructions explicitly fetch and execute code from public GitHub repositories (e.g., the curl to https://raw.githubusercontent.com/... for actionlint and the "uses:" entries like suzuki-shunsuke/pinact-action, aquaproj/aqua-installer, and zizmorcore/zizmor-action), meaning it ingests untrusted third‑party content that can materially influence tool behavior and workflow decisions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The example workflow uses bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) which fetches and directly executes remote code at runtime, making it a required runtime dependency that executes external code.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata