mz-debug-ci

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and parses untrusted third-party content from public services — e.g., GitHub via gh pr view / gh pr checks and Buildkite annotations/logs via bk api /pipelines/.../annotations and bk job log — and the agent is instructed to interpret those annotations/logs to drive diagnostics and next actions, which could allow indirect prompt injection from user-generated web content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly requires disabling the default sandbox for all Bash commands (dangerouslyDisableSandbox: true), which instructs the agent to bypass a security mechanism even though it doesn't ask for sudo or file modifications.