create-subagent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly enables and instructs agents (see the "Research Agent" template and the "Available Tools" section) to use WebSearch/WebFetch and even says "use web search for external docs"—showing it fetches and reads untrusted public web content that the agent is expected to interpret and use to drive decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly includes a "bypassPermissions" mode ("Skip all permission prompts") and allows omitting tool restrictions (full access) including execution via Bash, which encourages bypassing security controls and enables privileged modifications to the host state.