release

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and inspects third-party repository content and metadata (git pull/git log in Step 1, "Present ... Commits since last release" in Step 2) and queries public services (gh/gh api/gh release view, gh run list, cargo search against crates.io in Steps 4 and 6) — untrusted user-generated commit messages and release pages are read and used to decide/version and drive release actions, meeting all flagged criteria.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs "git pull origin main" against the freenet-core repository (https://github.com/freenet/freenet-core) at runtime and then instructs executing ./scripts/release.sh, so fetched remote changes could alter and cause execution of remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs the agent to run release scripts, publish code, and SSH into gateways to trigger automated updates (and references systemd/service actions), which perform privileged, state-changing operations on local and remote machines and thus can compromise machine state if executed by an agent.