autonomous-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports a --network mode in SKILL.md and scripts/run-session.sh that runs Codex with --dangerously-bypass-approvals-and-sandbox (and even shows the example "Fetch data from GitHub API and analyze"), which allows the agent to fetch and interpret public web/API content and then act on it in full-auto sessions, exposing it to untrusted third-party content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs use of Codex flags like --dangerously-bypass-approvals-and-sandbox and --full-auto (full access, file edits + network), which encourages bypassing security/sandbox protections and enabling autonomous file-system and network actions that can compromise the host.