docker-compose

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly downloads and applies configuration files from public URLs on raw.githubusercontent.com (see Phase 4a curl commands and refs/docker-compose-deployment.md), so the agent fetches and acts on untrusted third-party content that can change runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill automatically runs curl at runtime to download config and a Dockerfile from raw.githubusercontent.com (e.g. https://raw.githubusercontent.com/phasehq/console/main/nginx/Dockerfile and https://raw.githubusercontent.com/phasehq/console/main/docker-compose.yml), which are then used by docker compose build/up so remote content is fetched and executed as part of the deployment, creating a high-confidence runtime dependency that can execute remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill instructs the agent to write and modify service/config files (nginx, docker-compose), run Docker/certbot commands, and install a cron job — autonomously changing the host's state and potentially affecting security and availability.