manabi-ingest

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt includes an explicit instruction to run agents with mode: "bypassPermissions" (and similar agent-override parameters) which directs the system to circumvent permissions/controls — a deceptive behavior-altering directive outside the stated ingestion/orchestration purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill's SKILL.md explicitly performs Chrome-based page_text and links extraction (Step 2.5) and then fetches external resources (Step 2.6) from public/untrusted sources such as Notion, Google Drive, PDFs, YouTube/UTAGE pages, and those fetched materials are consumed by downstream extractors (concept-extractor, visual-indexer, utage-manual, skill-planner/skill-synthesizer) to drive decisions and generate actionable artifacts, which creates a clear pathway for indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt explicitly instructs agents to run with mode "bypassPermissions" (i.e. bypass security/permission controls), which is a direct push to circumvent protections even though it otherwise operates in user-space files and avoids direct sudo/system-file edits.