autonomous-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly supports a network mode (the --network option in scripts/run-session.sh) which runs codex with --dangerously-bypass-approvals-and-sandbox and even gives the example "Fetch data from GitHub API and analyze", meaning the agent can access and ingest public third‑party/web API content that could carry untrusted, user-generated input.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs use of Codex flags like --dangerously-bypass-approvals-and-sandbox and --full-auto (full access, file edits + network), which encourages bypassing security/sandbox protections and enabling autonomous file-system and network actions that can compromise the host.