docx

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly unpacks and parses arbitrary .docx files provided at runtime (see the "Text extraction" pandoc command and ooxml/scripts/unpack.py plus the Document class workflows that read the unpacked document), so the agent directly ingests untrusted user/third‑party document content which could contain indirect prompt injections.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs installing system packages with sudo (e.g., "sudo apt-get install pandoc", LibreOffice, poppler-utils) and global/npm installs, which ask the agent to perform privileged system changes and thus can modify the machine state.