co-design

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill launches design subagents via the provided claude -p shell command which explicitly grants WebFetch/WebSearch in --allowedTools (see the bash launch block: --allowedTools "Bash,Read,Edit,Write,Glob,Grep,WebFetch,WebSearch"), allowing those agents to fetch and read arbitrary public web content that could be untrusted or user-generated.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly routes tasks to a background CLI agent with allowedTools including Bash/Read/Edit/Write and instructs agents to edit files, run shell commands, and commit changes — which enables arbitrary filesystem and process changes (and potential privilege escalation) even though it doesn't explicitly ask for sudo or specific system-file edits.