ag2-shell-tool

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md's "Provider-native ShellTool" section shows the agent can run in a ContainerAutoEnvironment with a network_policy (e.g., allowed_domains=["pypi.org"]) and the LocalShellTool examples explicitly discuss allowing/blocking network commands like curl/wget, meaning the agent can fetch and then read/act on content from public sites (e.g., PyPI), which could enable indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.95). Yes — the skill grants arbitrary local shell execution by default (LocalShellTool without a LocalShellEnvironment), which allows modifying files, services, or creating users and thus can compromise the host unless sandboxing/allowlists are properly enforced.