running-containers

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's update system explicitly queries and ingests public GitHub Releases API (references/service-update-system.md and references/immich-update.md) to determine "latest" versions and then drives automated image pulls/restarts, so it consumes untrusted, user-generated third‑party content (GitHub) that can materially change agent-driven actions (updates), meeting the flagged criteria.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly includes sudo commands, systemctl service control, and instructions to modify system-level NixOS configuration and secrets (e.g., editing configuration.nix, starting/stopping services, reading protected env), which direct the agent to perform privileged, state-changing operations on the machine.