trivy

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow explicitly shows commands like "trivy repo https://github.com/owner/repo" and other "repo" and remote-scan examples that fetch and analyze arbitrary public git repositories (user-generated content) which the agent would read and whose contents could influence scanning decisions and follow-up actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt includes explicit installation steps that use sudo and commands that write to system locations (e.g., /usr/share/keyrings, /usr/local/bin, /etc/apt/sources.list.d), which instruct modifying the host system and require elevated privileges, so it can push an agent to change the machine state.