agent-tools

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). SKILL.md explicitly exposes WebFetch/WebSearch (see "Available Tools" and the "Documentation" example that includes "WebFetch"/"WebSearch", plus the WebFetch domain restrictions section), which allows the agent to retrieve and act on untrusted public web content that could influence decisions or tool use and enable indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.40). The prompt itself is a configuration/reference doc (it does not instruct the agent to get sudo, create users, or edit system config), but it explicitly documents options that can enable arbitrary shell commands and unrestricted file edits (including absolute paths and a --dangerously-skip-permissions mode), so it poses a moderate risk if misused.