ctf-forensics

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs fetching and ingesting untrusted public content (e.g., calling the mempool.space API, using gitdumper.sh against arbitrary https://target/.git/ URLs, and aws s3 cp --no-sign-request to read public S3 buckets), so the agent would read and act on third‑party/user‑generated data as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). This skill includes explicit privileged operations (e.g., "sudo mount -o loop,ro", apt package installs, veracrypt/cryptsetup mounting, disk/VM extraction) that require elevated rights and can modify the host's state, so it encourages actions that could compromise the machine.