frappe-ci-expert

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's CI workflows and helper scripts explicitly fetch and install public third-party content (e.g., bench get-app cloning GitHub repos, wget of wkhtmltopdf and example.com backup files in references/ci-setup-process.md, references/helper-scripts.md and references/workflow-templates.md) and also surface runtime outputs/logs (cat ~/frappe-bench/... and uploaded artifacts) which means untrusted, user-provided web content is ingested and presented as part of the CI workflow and could be read/interpreted by the agent;

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill instructs modifying system state (installing system packages via helper scripts and adding host entries in /etc/hosts, plus bench/service setup) which implies using sudo and changing system files on the runner/host.