apple-container

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's documentation and workflow explicitly instruct the CLI to fetch and run content from public registries and URLs (e.g., "container run -it ubuntu:latest", "container image pull"/"container image push" in references/command-reference.md, and "container system kernel set ... --tar " plus kernel.url pointing to a GitHub release in references/technical-overview.md), which are untrusted third‑party sources whose manifests, images, or archives can change runtime behavior and thus could carry indirect prompt-injection-like instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The documentation explicitly shows that at runtime container system start can prompt to download and install a kernel from https://github.com/kata-containers/kata-containers/releases/download/3.17.0/kata-static-3.17.0-arm64.tar.xz, which is a remote archive of executable kernel content fetched and installed during execution (i.e., a runtime fetch of remote code that the tool may rely on), so this is a high-confidence runtime external dependency that can execute remote code.