companion-clis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs fetching content from public, user-controlled sources (e.g., "hf download ..." from HuggingFace, "gh repo clone owner/repo" for GitHub repos, and Docker Hub images referenced under Docker/Docker Hub), which are untrusted third‑party artifacts that will be ingested/built into containers and can materially change runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes installer commands that fetch and execute remote scripts at runtime—e.g. curl -LsSf https://hf.co/cli/install.sh | bash, curl -fsSL https://get.docker.com | sh, and downloading https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip then running ./aws/install—which execute remote code and are presented as required installation steps for the CLIs.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill includes explicit privileged operations and system-file modifications (sudo apt installs and adding apt keyrings, sudo usermod to add the user to the docker group, instructions to install system-wide tools, and edits to SSH-related config), which instruct changing the machine's state and require elevated privileges.