permissions-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly falls back to external web searches and research when references or unknown tools are encountered—see "If reference file not found" (For unknown tools -> use web search) and "Skill Integration Points" listing mcp__perplexity-ask__, mcp__brave-search__, and WebSearch—so it will fetch and interpret untrusted public web content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs executing scripts like apply_permissions.py to write and validate permission/configuration changes for system-level CLI tools (docker, kubectl, gcloud, etc.) and file permissions—actions that modify machine state and may require elevated privileges—so it effectively pushes the agent to change the host system.