building-detection-rules-with-sigma

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly requires cloning and loading Sigma rules from the public SigmaHQ GitHub repository (SKILL.md prerequisites: "git clone https://github.com/SigmaHQ/sigma.git" and examples/os.walk over "sigma/rules/windows/"), and the agent parses and converts those community-maintained YAML rules into SIEM queries and deployment actions—i.e., it ingests untrusted, user-contributed content that can directly influence tool behavior.