security-trust

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md workflow explicitly tells the agent to accept a URL to fix and run curl against arbitrary sites (e.g., "If $ARGUMENTS is provided, interpret it as the URL to fix" and the curl verification steps like curl -sI https://example.com/), so the agent will fetch and interpret untrusted public-site headers/content to decide remediation steps.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs installing system packages with sudo and editing server configuration files (Nginx/Apache/Caddy) which require elevated privileges and modify the machine's system state, so it can compromise the host.