use-slicer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and executes public third‑party content as part of its documented workflows (e.g., "Quick k3s cluster" uses curl -sfL https://get.k3s.io | sh -, it pulls container images from ghcr.io, and installs agents via arkade), so untrusted web-hosted artifacts are ingested and can materially change runtime behavior inside VMs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly executes remote code at runtime (e.g., "curl -sfL https://get.k3s.io | sh -" run inside a VM) and also pulls VM images from remote registries (e.g., ghcr.io/openfaasltd/slicer-systemd:...), both of which are runtime-fetched external artifacts that will execute code in the sandboxed environment.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill instructs the agent/user to run system-level operations (e.g., "sudo -E slicer up", binding APIs to 0.0.0.0, disabling API auth, checking/creating network bridges, writing /run/pid) that modify host system state and require sudo, so it could compromise the machine's state and security.