deepagents-implementation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill includes examples that add a web_search tool (Basic Usage: "With Custom Tools" returning tavily_client.search(query)) and MCP integrations that expose GitHub/web servers, and several subagent examples (e.g., research_agent) explicitly instruct the agent to search and synthesize web content — i.e., it fetches and reads untrusted public web/user-generated content as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.40). The prompt doesn't explicitly instruct privileged actions (creating users, editing systemctl/ssh, or obtaining sudo), but it exposes real-disk FilesystemBackend, an execute tool for shell commands, and destructive tools like delete_file which could be used to modify the host state — so it poses a moderate risk.