sop-engine

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The sop-execute implementation (scripts/sop-execute) extracts and evals bash code blocks from SOP markdown (see the "Data Processing Pipeline" and other examples in SKILL.md that include curl commands like "curl -o data/raw.json https://api.example.com/data" and health-check URLs), therefore the skill will fetch and execute content from arbitrary public URLs as part of its runtime workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly executes arbitrary shell commands as SOP steps, persists state and audit logs on the host, and is designed to run deployment and maintenance workflows (which can modify files or invoke privileged operations), so it enables the agent to modify the machine's state and potentially perform harmful/privileged changes even if it doesn't directly mention sudo.