ai-for-science-ascend-tf-community

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). SKILL.md explicitly directs fetching public third‑party artifacts (e.g., git clone https://github.com/tensorflow/tensorflow.git, wget of the nsync tarball from GitHub, and wget of the Ascend tfplugin from ascend-repo.obs.cn-east-2.myhuaweicloud.com) and then instructs applying patches, building, and installing those artifacts, so the workflow clearly downloads and consumes untrusted/user‑provided code whose contents can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly downloads and executes a remote installer at runtime (the Ascend tfplugin .run) from https://ascend-repo.obs.cn-east-2.myhuaweicloud.com/CANN/CANN%208.0.RC3/Ascend-cann-tfplugin_8.0.RC3_linux-aarch64.run to extract and install the required npu_device wheel, which constitutes fetching and executing remote code that the skill depends on.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill instructs installing system-level components (writing to /usr/local/bin, running .run installers that place files under system paths, and changing build/config files), actions that modify the machine state and typically require elevated privileges even though it doesn't explicitly ask to bypass sudo.