servel

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's template system explicitly ingests remote, user-supplied third‑party content (references/TEMPLATES.md shows templates can use "source: type: git repo: https://github.com/..." and references the public "Infrastructure Hub: https://hub.servel.dev"), and those templates include executable fields (post_init, actions, restore/backup commands, connection templates) that the agent will read and which can materially change runtime actions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The README includes high-confidence runtime fetches of external content that control agent behavior or execute code — notably the GitHub Actions example that runs remote code via curl -fsSL https://servel.dev/install.sh | bash (executes remote code at runtime) and manual install instructions that download and inject skill content from https://raw.githubusercontent.com/K-NRS/servel-skill/main/SKILL.md and https://raw.githubusercontent.com/K-NRS/servel-skill/main/references/TEMPLATES.md into agent skill directories (injects prompts/instructions into the agent).

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt instructs use of servel commands that create users (servel access user create), install/uninstall system services (servel bastion install/uninstall, remote provision, node add/remove, node install/upgrade), and perform provisioning or configuration changes that modify system files and require elevated privileges on target machines, so it pushes the agent toward changing machine state.