rust-sota-arsenal

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Web-Verify Before Acting" steps explicitly require the agent to WebFetch the public crates.io API, run WebSearch for changelogs, and fall back to Firecrawl scrapes of public crate pages — open/public third‑party content the agent must read and use to decide versions and compatibility, so untrusted content can materially influence actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly recommends using sudo for samply ("sudo samply record") and even disabling macOS SIP for dtrace, which encourages obtaining elevated privileges and bypassing security mechanisms, so it does push compromising changes to the host.