ssh-server

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's manifest-schema explicitly allows fetching remote OpenAPI specs for mcp-server/openapi and hosted-a2a agent_card_url values (see references/manifest-schema.md), which are fetched at runtime and converted into MCP tools or agent behavior—exposing the agent to untrusted third-party content that can influence tool capabilities.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires pulling and running external container images at runtime (e.g., public.ecr.aws/truefoundrycloud/ssh-server:0.4.5-py3.12.12), which are remote artifacts that will be fetched and execute code as a required dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs running privileged system commands (e.g., sudo apt install), modifying auth files (writing to /home/jovyan/.ssh/authorized_keys), and building images as root — all actions that alter machine state and can grant remote access, so it pushes the agent toward state-compromising operations.