zp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow explicitly clones and opens GitHub repositories specified as "owner/name" (see "Usage" and "Common Agent Tasks" in SKILL.md), so the agent will fetch and read untrusted, user-generated repo content which can influence actions (e.g., checking for AGENTS.md and deciding to bootstrap or run project-specific instructions).

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill instructs creating machines, bootstrapping dotfiles (running install.sh --no-prompt), and "setting up SSH" and backend operations that can modify system/SSH configuration or run arbitrary install scripts, so it can change the machine's state and potentially compromise security.