incident-responder

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The incident-response skill explicitly instructs the agent to kill processes, delete/restore files, check and modify persistence locations (e.g., ~/.ssh/authorized_keys, systemd/launchd services), rotate SSH keys and credentials, and remove service files—actions that modify the machine's state and may require elevated privileges.