codex

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's "Web Search & Fetch" capability (enabled via --enable web_search_request and shown in examples like "Fetch and summarize https://github.com/user/repo") fetches and ingests arbitrary public web pages and repositories, so the agent will read untrusted third-party content that could contain indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt repeatedly instructs use of a --dangerously-bypass-approvals-and-sandbox flag (explicitly telling the agent to bypass safety/sandboxing), which directly encourages circumventing security controls and enables arbitrary state-changing actions on the host even if it doesn't name specific privileged edits like user creation.