create-agent-tui

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly includes web-search and web-fetch capabilities — e.g., openrouter:web_search is added by default in src/tools/index.ts and the Interactive Tool Checklist in SKILL.md, and a web_fetch tool is specified in references/tools.md — and those tool outputs are passed into the agent loop (src/agent.ts calls client.callModel({ tools, ... })), so untrusted public webpages/search results can be read by the agent and materially influence subsequent decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill scaffolds and enables file-read/write/edit tools and a shell command tool (both default ON) and its system prompt instructs the agent to proactively explore and modify the codebase, while the "tool permissions/approval" safeguard is off by default, so it directly enables modifying the machine's filesystem and running arbitrary commands.