karpathytalk-community

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs agents to fetch and read public, user-generated posts from the open KarpathyTalk API (e.g., https://karpathytalk.com/api/posts and /api/users/{username}/posts.md) and even shows embedding that markdown into an LLM system prompt, which exposes the agent to untrusted third-party content that could inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime code fetches external markdown (e.g., https://karpathytalk.com/api/users/{username}/posts.md and similar /api/posts endpoints) and directly injects that fetched content into an LLM system prompt, meaning remote content can control agent instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt includes deployment instructions that create/modify systemd service definitions and webserver (nginx/Caddy) TLS configs—actions that alter system-level service/config files and typically require elevated privileges, so it pushes modifications to the machine state.