dev-swarm-headless-ai-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflow points to the agent reference files (references/codex.md and references/gemini-cli.md), which explicitly include flags and examples to enable live web search/--search and a search extension (and combine these with auto-approve/headless flags like --ask-for-approval never and --yolo), meaning the headless agents can fetch and ingest open/public web content (untrusted third-party content) and act on it—creating a clear avenue for indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill explicitly instructs using permission-bypass flags (e.g., --dangerously-skip-permissions, --ask-for-approval never, --yolo) that encourage circumventing security prompts and allow headless agents to perform actions without human approval, even though it does not request sudo, create users, or directly modify system-level files.