desktop-commander

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports reading arbitrary web pages/URLs (e.g., "Read URL: read_file with isUrl: true" in SKILL.md and references/desktop-commander.md), so the agent will fetch and interpret public third-party web content as part of its workflow, allowing untrusted content to influence subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly enables running arbitrary shell commands, reading/writing and editing files, killing processes, and even warns that directory restrictions aren’t a sandbox—capabilities that can modify system files or be used to escalate/bypass protections, so it meaningfully pushes the agent to change machine state.