pentest

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflows (SKILL.md and reference/workflows.md) explicitly run tools like Sherlock, Maigret, Holehe, subfinder/httpx and nuclei to fetch and parse public websites and social-profile data (e.g., "review profile bios manually; feed any email to workflow 3"), so the agent reads untrusted, user-generated third-party content and uses it to drive subsequent tool choices and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly pulls and runs third‑party Docker images at runtime (e.g. docker.io/projectdiscovery/nuclei, docker.io/instrumentisto/nmap, docker.io/kalilinux/kali-rolling), which fetch remote code that is executed and are relied upon as required backends, so these images are runtime external dependencies that execute remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly directs the execution layer to auto-retry commands with "sudo -n" on permission-denied and to use flags like --privileged / --network-host (and Docker overrides), which encourages automatic privilege escalation and running privileged operations on the host even though it doesn't explicitly instruct file edits or user creation.