tor-browser

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly opens and browses arbitrary public .onion and web URLs (see SKILL.md commands like "tor-browser open " and the scripts/tor-browser.py navigate/open functions) and exposes page content via get_snapshot, get_text, extract_links, click, and fill, meaning untrusted third‑party pages are fetched and read as part of the workflow and can directly drive further actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs running privileged commands (e.g., "sudo apt install tor", "sudo systemctl start tor", and other sudo systemctl/journalctl commands), which requires elevated privileges and modifies system services, so it pushes the agent to change the host machine state.