weco

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's evaluation workflow and templates (e.g., references/eval-accuracy.md, references/eval-llm-judge.md, and references/eval-skill.md) explicitly instruct downloading and loading external datasets from public URLs (GitHub raw URLs, Hugging Face, Kaggle, arbitrary URLs) and using those untrusted, third-party inputs to drive evaluation and optimization decisions, which can materially influence tool behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.40). The skill routinely directs the agent to create and modify files, install dependencies, run background tasks, change file permissions, and even asks to request broad sandbox permissions (required_permissions: ['all']) — all of which can change the host environment — but it does not explicitly request sudo, system-level config edits, or account creation and includes safeguards (ask before applying changes, prefer isolated workspace).