desktop-commander

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly allows reading arbitrary web pages/URLs (e.g., "read_file" with isUrl: true in SKILL.md and references/desktop-commander.md), so the agent can fetch and interpret untrusted public web content which could carry indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly enables running arbitrary shell commands, reading/writing and editing files, killing processes, and even warns that directory restrictions aren’t a sandbox—capabilities that can modify system files or be used to escalate/bypass protections, so it meaningfully pushes the agent to change machine state.