container-update-report

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The workflow's "just update-container-digests" step explicitly fetches latest container SHAs from public registries (docker.io, ghcr.io, lscr.io) and the agent is expected to read the resulting git diff/containers-sha.nix and summarize changes, exposing it to untrusted, user-published registry metadata.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill tells the agent to run deployment commands (e.g., just colmena ) that update NixOS host configurations and activate system-level changes on hosts, which will modify system state and likely require elevated privileges.