solo-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs the phase-researcher sub-agent (see .claude/agents/phase-researcher.md and Step 1.2 "Deep Research") to perform WebSearch/WebFetch (including Docker Hub) and ingest those public web findings into RESEARCH.md, which the main agent must read and use to update SPEC/IMPLEMENTATION and drive coding decisions, thereby exposing it to untrusted third‑party content that can materially influence actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly instructs the agent to "setup everything" (Docker, databases, dependencies), run and modify bash scripts, install missing dependencies, ensure services are running, and change project/system configs autonomously—actions that will likely require elevated privileges and change the host system state, so it can compromise the machine.