polyphony

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). Work Source pulls tasks from GitHub Issues via gh api, and the issue body/comments (outsider-authored) are typically returned as readable text that the orchestrator then routes into the worker/LLM context.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly directs creating Docker containers, writing config in ~/.polyphony, performing git branch/clones and mounting host credential volumes into containers (even read‑only), all of which modify the host state and can expose secrets — so it meaningfully risks compromising the machine even though it does not request sudo or user creation.