ln-032-vps-project-runtime

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly clones or updates the project from ${REPO_URL} and then renders and processes project .claude/ files (Phase 2: "clone or update ${REPO_URL} at ${REPO_REF}" and "render project .claude/ files"), which exposes the agent to arbitrary/untrusted third-party repository content that can influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). This skill explicitly clones or updates an external git repository at the runtime-provided ${REPO_URL} and renders/copies .claude/ instruction files (e.g., dispatcher.md.template) from that repo into the agent runtime, meaning the fetched content can directly control agent prompts and is a required runtime dependency (${REPO_URL}).

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill requires creating system directories under /etc and /var and installing service/scheduler (systemd) templates, which modify system-level files and thus require elevated (sudo/root) privileges.