home-assistant-apps

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill documentation explicitly describes installing app repositories from public URLs/GitHub (repository.yaml / one-click links), running apps that serve embedded web UIs via Ingress (untrusted HTML/JS served by add-on containers), and mounting user-provided addon_config files into containers—all of which cause the system to fetch and render or read arbitrary, user-generated third-party content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt includes explicit instructions and commands that require elevated privileges or change host state (running privileged Docker containers, mounting /var/run/docker.sock, mapping host devices and namespaces, modifying AppArmor profiles, enabling host_network/full_access/etc.), which can compromise the machine if followed.