exploiting-bgp-hijacking-vulnerabilities

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's runtime workflow (scripts/agent.py and SKILL.md) explicitly fetches and ingests data from public third-party sources—e.g., RIPEstat API endpoints at https://stat.ripe.net/data (rpki-validation, announced-prefixes, routing-status, looking-glass), pybgpstream/RouteViews and RIPE RIS collectors described in SKILL.md—and the agent directly interprets that untrusted, user/Internet-originated content to drive its BGP assessment decisions and reports.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly runs a runtime installation command that fetches and executes remote code—sudo bash -c "$(curl -sL https://get.containerlab.dev)"—and Containerlab is a required dependency for the lab deployment, so this URL is a high-confidence runtime code-execution risk.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt includes explicit sudo commands (e.g., installing containerlab and deploying the lab with sudo) and instructions that modify the host environment (installing global packages, running containers and binding config files), which ask the agent to perform privileged, state-changing operations on the machine.