koog

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill includes examples and workflow references (references/built-in-tools.md and references/strategies.md) that define and register a SimpleTool "WebSearchTool" which issues HTTP GET requests to external web APIs and subgraphs that pass those tool results back to the LLM (e.g., nodeLLMSendToolResult / subgraph with WebSearchTool), so untrusted public web content can be ingested and influence subsequent tool calls and decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt documents and enables tools that can modify the host (WriteFileTool/EditFileTool/ExecuteShellCommandTool and file-manipulation ToolSets), so while it doesn't explicitly instruct sudo, user-creation, or specific system-file edits, it clearly provides the agent with capabilities to change machine state and run arbitrary shell commands.