deepagents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's examples and quickstart explicitly show and instruct creating/using an internet_search tool (e.g., references/core.md and references/getting_started.md with tavily_client.search and subagent examples that accept include_raw_content) which would fetch and ingest raw public web content that the agent then reads and synthesizes, exposing it to untrusted third-party input.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.50). The skill documents and exposes filesystem tools (read_file, write_file, edit_file) and examples for mounting the local filesystem via FilesystemBackend (configurable root_dir) which allows an agent to modify files on the host (and thus the machine state) though it does not explicitly instruct privilege escalation, creating users, or editing system service/ssh files.