utmapp

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's workflows explicitly cover importing .utm bundles from the public UTM gallery (references/workflows.md → "Importing a VM from the gallery") and notes UTM can fetch IPSW/images automatically, so the agent may load external, untrusted VM bundles whose config.plist / QEMU additional-arguments (third-party content) can materially change how the tooling (QEMU/utmctl/AppleScript) runs.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly instructs running a sudo command (linking utmctl into /usr/local/bin) and guides destructive and system-affecting actions (creating/deleting/cloning VM bundles, editing configs, rebinding shares), so it does push the agent to modify the host system state.