gpu-container-setup-flagos

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required image-discovery flow (Step 4 in SKILL.md and the references/image-sources.md) explicitly queries public registries and APIs (e.g., https://api.ngc.nvidia.com, harbor.baai.ac.cn, Docker Hub) and falls back to Web Search (Step 4.3) to fetch and parse arbitrary third‑party pages/tags, and those results are used to choose/pull container images and even update the skill, so untrusted external content can directly influence tool actions and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill issues runtime curl queries to external container registries (e.g., https://api.ngc.nvidia.com/v2/repos/nvidia/pytorch/tags and similar registry APIs like https://harbor.baai.ac.cn/...) to select images which are then docker-pulled and run, so these URLs are used at runtime, the fetched responses determine which remote container code is executed, and the skill depends on them.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly instructs the agent to pull and run Docker containers (including device mappings and host path mounts such as /usr/local/Ascend and /dev/*), start/replace containers, and modify repo reference files — actions that change the machine state and can expose or alter host resources (even if it doesn't explicitly request sudo, create users, or edit system-level config files).