devcontainers

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md and README explicitly instruct the agent to clone and use a public GitHub repository (DEVCONTAINER_REPO_URL, default https://github.com/bikramkgupta/do-app-devcontainer) and to run scripts from .devcontainer (e.g., .devcontainer/tests/agent-test.sh), which means the agent fetches and executes untrusted third-party repository content that can materially affect its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs agents at runtime to clone and use the repository https://github.com/bikramkgupta/do-app-devcontainer (git clone ...), then run devcontainer initialization and test scripts from .devcontainer (init.sh, post-create.sh, agent-test.sh), so remote code is fetched and executed as a required dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly recommends running a sudo command that changes ownership of /home/vscode (sudo chown -R vscode:vscode /home/vscode) and guides setup steps that modify host state (docker compose, copying files), so it asks for elevated privileges and altering system file ownership.