schedule

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow (SKILL.md "Scheduling an AI agent") and the referenced oneshot docs (e.g., references/oneshot-copilot.md, oneshot-claude.md, references/oneshot-opencode.md) instruct creating scheduled AI runs with flags like --allow-all / --allow-all-urls, WebFetch/MCP tools, or permissive OpenCode agent permissions (webfetch/websearch), which clearly allows the agent to fetch and interpret arbitrary public web/MCP content that could contain untrusted/user-generated instructions influencing subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (low risk: 0.30). The skill instructs the agent to create persistent scheduled tasks (modifying the scheduler state) and even suggests pre-granting broad AI permissions (e.g. --allow-all, --permission-mode bypassPermissions), which can enable later state-changing actions, but it does not request sudo, editing privileged system files, or creating user accounts.