ley-ar

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required search workflow (SKILL.md and scripts/ley/databases/*.py) performs direct HTTP requests and HTML/JSON scraping of public third‑party sites (saij.gob.ar, sjconsulta.csjn.gov.ar, juba.scba.gov.ar, eje.juscaba.gob.ar) and consumes those results as part of its output/decision-making, exposing the agent to untrusted public web content that could carry indirect prompt injections.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The install instruction uses "pip install -e . --break-system-packages", which explicitly bypasses packaging safety and can alter system-level packages (and may encourage use of sudo), so it asks the agent to perform actions that can compromise the host state.