using-webctl

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs using webctl to navigate arbitrary web URLs and to snapshot/query/interact with pages (e.g., commands like webctl navigate "https://..." and webctl snapshot, with examples referencing public sites such as github.com and bsky.app), which clearly causes the agent to fetch and interpret untrusted, user-generated third‑party web content as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs modifying system package files under /usr/local/lib (copying auth_proxy.py and patching session_manager.py) and uses pip install with --break-system-packages, which requires elevated privileges and alters the machine state, so it should be flagged.