session-scan

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill spawns subagents that explicitly call mcp__ccrider__get_session_messages (SKILL.md, Step 5) and the scorer (references/compute-metrics.py) ingests and interprets those user session JSON messages (user-generated content) to compute scores and make decisions, exposing the agent to untrusted third‑party content that can influence actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly instructs spawning subagents with mode="bypassPermissions" (to gain Write+Bash), runs arbitrary python/bash commands, and writes/removes files on the host—i.e., it directs bypassing permission controls and executing code on the machine, which risks compromising the host state.