nextflow-development

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests public GEO/SRA/ENA study metadata and raw FASTQ files (see references/geo-sra-acquisition.md and the python scripts/sra_geo_fetch.py info/download/samplesheet commands), so the agent will read and act on untrusted, user-generated content from the open web.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Commands like "nextflow run nf-core/rnaseq -r 3.22.2 ..." cause Nextflow to fetch and execute pipeline code from remote repositories (e.g., https://github.com/nf-core/rnaseq), which is a runtime retrieval of remote executable code the skill depends on.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt includes explicit sudo commands and instructions to change group membership, start system services, and install packages (e.g., sudo usermod -aG docker $USER, sudo systemctl start docker, sudo apt install ...), which instruct the agent to perform privileged system modifications that alter the machine state.