deepagents-implementation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly shows agents using a web_search tool (e.g., "tools=[web_search]" and "Search the web to answer questions") and an MCP example that loads a GitHub MCP server (references in the "MCP Tool Integration" section), meaning the agent is expected to fetch and interpret public web/GitHub content which could contain untrusted, user-generated instructions influencing its actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.40). The prompt doesn't explicitly instruct privileged actions (creating users, editing systemctl/ssh, or obtaining sudo), but it exposes real-disk FilesystemBackend, an execute tool for shell commands, and destructive tools like delete_file which could be used to modify the host state — so it poses a moderate risk.