tutor-setup

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Document Mode explicitly fetches and ingests web content via "URL → WebFetch" in Phase D1 (SKILL.md: "URL → WebFetch"), and that untrusted public webpage content is read and used to drive mapping, note creation, and subsequent automated actions—meeting all criteria for indirect prompt-injection exposure.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs the agent to run shell commands (pdftotext) and, if missing, to install system packages using brew or apt-get (which modify system state and typically require elevated privileges) and even writes to /tmp, so it directs actions that change the host system.