journey

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md directs the agent to fetch kits from the public Journey registry (e.g., GET https://www.journeykits.ai/api/kits///install and /api/kits/search), then explicitly tells the agent to process the install response (run preflightChecks, write files, and "read kit.md" as the primary workflow guide), meaning untrusted third-party kit content can directly influence tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches kit install bundles at https://www.journeykits.ai/api/kits///install?target=&ref=latest at runtime, and those responses include files, installation instructions, and "preflightChecks" (shell commands) that can execute code and directly control the agent's behavior, which the skill relies on to perform installs.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs the agent to run preflight shell commands and write/append files under a suggested root (and install dependency kits), which directly modifies the machine filesystem and can trigger privileged changes depending on kit content, so it can push the agent to compromise system state.