blocklet-dev-setup

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and analyzes untrusted public content — e.g., Phase 1.2 reads GitHub issue title/body via gh issue view and the non-GitHub URL flow uses curl/wget and the blocklet-url-analyzer to fetch/arbitrate arbitrary URLs — and the agent is expected to read and interpret that content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs git pull/clone at runtime to update/read the agent-skills repository (git@github.com:ArcBlock/agent-skills.git / https://github.com/ArcBlock/agent-skills), which is a required runtime dependency whose fetched skill definitions can directly change the agent's prompts/behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs system-level changes (sudo apt installs, sudo systemctl stop/disable, creating symlinks in /usr/local/bin with sudo, changing DNS with sudo), which require elevated privileges and modify the machine state, so it poses a clear risk of compromising the host.