autonomous-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly supports enabling network access (scripts/run-session.sh --network sets codex exec --dangerously-bypass-approvals-and-sandbox) and SKILL.md includes an example "Fetch data from GitHub API and analyze", so the Codex agent can fetch and read public, user-generated third-party content (e.g., GitHub) that could influence its actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly includes and encourages use of flags that bypass approvals and the sandbox (e.g., --dangerously-bypass-approvals-and-sandbox) and enables full access/network modes, which instructs the agent to circumvent security protections and could let it modify machine state.