dispatching-coding-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's CLI references and examples show Codex can be run with a web search tool (--search) and subagents can be auto-approved (--full-auto, --dangerously-skip-permissions), meaning external web/search results (untrusted third-party content) can be fetched and used by dispatched agents as part of their research/workflow (see "CLI Reference" and example commands), which could influence their actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt explicitly instructs using flags that bypass permission prompts (e.g., --dangerously-skip-permissions, --full-auto) and dispatches subagents with filesystem/tool access and the ability to run arbitrary shell commands, which enables fully automated state-changing actions on the host even though it doesn't directly instruct specific sudo or user-creation commands.