biomni

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill automatically downloads and ingests public third‑party biomedical content (e.g., PubMed abstracts via LiteratureDB, external databases like UniProt/PDB/ClinVar/OMIM in the ~11GB data lake, and optional MCP web-search servers configured in .biomni/mcp_config.json), and the agent is expected to read and interpret that content as part of its autonomous workflows, exposing it to untrusted third‑party content that could enable indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly states it "executes LLM-generated code with full system privileges" and enables autonomous code execution, data downloads, and external integrations (MCP/lab interfaces), which gives the agent the ability to modify the host system even though it doesn't explicitly instruct sudo, file edits, or user creation.