codex

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md Additional Scenarios explicitly states "Web Search: Enable real-time web search capabilities using the --search flag", which means the agent will fetch and interpret open web content (untrusted public sources) that can influence its actions such as code generation or command execution.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly enables executing shell commands, applying code patches to the worktree, injecting custom skills, and even references a "dangerously-bypass-approvals-and-sandbox" option, which encourages bypassing sandbox/security controls and thus can lead the agent to modify or compromise the host system state.