agent-management

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill instructs installing and loading community skills from public GitHub URLs (e.g., "npx skills add https://github.com/...") and using /find-skills, and it also supports agent-bridge connect --setup <ticket-url> which fetches config from an arbitrary ticket URL — all of which are untrusted third-party sources whose files (CLAUDE.md / .claude/skills/* SKILL.md) the agent is expected to read at runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill instructs the agent to disable the sandbox with --no-sandbox (explicitly telling the agent how to bypass sandbox protections) and to run commands directly and save tokens, which meaningfully encourages bypassing security and accessing local credentials/files even though it doesn't request sudo or system-user creation.