ai-for-science-deepfri-tf-npu

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's required workflow explicitly downloads a public pretrained model (SKILL.md Step 1: wget https://users.flatironinstitute.org/...newest_trained_models.tar.gz) and the runtime loader in deepfrier/Predictor.py (_load_model_with_cudnn_compat) opens the HDF5, json.loads the embedded model_config and calls tf.keras.models.model_from_config and loads weights, meaning untrusted third‑party model content is parsed and directly influences model construction and inference.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs system-level changes (e.g., placing Bazel in /usr/local/bin, compiling/installing TensorFlow and npu_device plugins, and installing drivers/CANN) which modify files/locations that typically require elevated privileges and thus can change the machine state.