onboarding

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's Phase 3 "Human Profile" explicitly instructs the agent to fetch and analyze user-provided websites, social profiles, and GitHub pages ("If they provide a website, socials, or GitHub, fetch and analyze them") — i.e., ingesting arbitrary public third‑party content that will be interpreted and used to shape agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill runs the command "curl -fsSL https://bun.sh/install | bash" at runtime to install Bun (a required dependency for the MCP server), which downloads and directly executes remote code from https://bun.sh/install.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill instructs the agent to perform many persistent, state-changing actions (install software via curl|bash, write config files, merge and modify ~/.claude/settings.json to pre-grant permissions, create directories, signal daemons, and schedule background tasks) which can broaden access and establish persistent behaviors on the host even without sudo, so it poses a significant machine-state compromise risk.