persona-model-trainer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests untrusted, user-provided/public content (training/raw and persona-knowledge exports) as part of its required prepare_data pipeline (Phase 4 / pipeline-guide) and also instructs the agent to fetch external HuggingFace/model-card information via WebSearch in Phase 2 and to download base models in generated Colab runs, meaning arbitrary third‑party pages/files are read and can materially influence model selection, training method, and subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The generated Colab notebook (runtime) runs a pip install from the GitHub URL git+https://github.com/unslothai/unsloth.git (via "!pip install -q 'unsloth[colab-new] @ git+https://github.com/unslothai/unsloth.git'"), which fetches and executes remote code during skill runtime and is required for the Unsloth training path—representing a supply-chain / remote-code execution risk.