doc-smith-images

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's AFS CLI workflow (SKILL.md and scripts) explicitly parses a URL from the AFS/generator JSON and runs curl to download that remote image ("URL=$(echo "$JSON_RESULT" | jq -r '.data.images[0].url' ...; curl -sL "$URL" -o "$SAVE_PATH""), and the editing prompts instruct the agent to read/interpret image text to build translation/mapping prompts, so untrusted third-party image content is fetched and directly influences prompt construction and subsequent model actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill performs runtime npm installs (cd /scripts && npm install) and thus fetches and executes remote packages from the npm registry (e.g. https://registry.npmjs.org/@google/genai/-/genai-1.42.0.tgz), which are required dependencies for the Gemini SDK backend and therefore constitute a runtime external code execution dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill instructs the agent to auto-install system-wide software (npm -g) and perform automatic mounting of /aignehub via AFS CLI—actions that modify the host system state and could require elevated privileges—so it poses a moderate risk even though it doesn't explicitly create users or ask for sudo/bypass steps.