debug
Warn
Audited by Snyk on Mar 3, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). This skill ingests and acts on user-generated chat/input provided via the host IPC files and stdin (e.g., /workspace/ipc/messages/*.json, /workspace/ipc/{groupFolder}/current_tasks.json, available_groups.json, and the JSON prompt piped into the container), so untrusted third‑party messages can directly influence agent decisions and tool use.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (medium risk: 0.60). The prompt includes host-level operations that modify system state (editing systemd unit environment, suggesting "sudo systemctl start docker", running docker builder prune, rm -rf session directories and direct sqlite deletions), so an agent executing it could change the machine's configuration and data — moderate risk.
Audit Metadata