kit-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SDK explicitly supports adding/connecting MCP servers and importing their prompts/resources (see "AddMCPServer", "GetMCPPrompt", and "ReadMCPResource" in SKILL.md), which returns third-party messages/file parts that are incorporated into prompts and can directly influence agent behavior, enabling indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill documents and enables arbitrary bash execution, file-write/edit tools, MCP subprocess commands, and explicit sudo password handling (PasswordPromptEvent), which could be used to obtain sudo credentials or modify system-level files so it poses a significant risk of altering the host state.