codex-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the SKILL.md (in the "本机浏览器调研" examples) and references/browser-research-prompt-recipes.md explicitly instruct the agent to use Computer Use to open Google Chrome and browse Reddit (and other public sites) to read and summarize user-generated posts, which is untrusted third‑party content the agent must interpret and which can materially affect its outputs and follow-up actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The prompt frequently recommends writable and "danger-full-access" sandbox modes (e.g. --sandbox workspace-write / danger-full-access, --full-auto, --dangerously-bypass-approvals-and-sandbox, --add-dir) and shows examples writing into local files and directories (including /tmp), which encourages an agent to modify the host filesystem and bypass safety checks, but it does not explicitly instruct acquiring sudo, altering system-level config files, or creating user accounts.