agent-sdk-builder

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly exposes the agent to public web content — e.g., built-in tools "WebSearch" and "WebFetch" are listed in SKILL.md/Overview.md, Quickstart shows adding WebSearch, the MCP examples (Playwright/my-api) and a direct fetch URL (https://code.claude.com/docs/llms.txt) demonstrate fetching arbitrary external pages/apis that the agent is expected to read and act on at runtime, so untrusted third‑party content can materially influence tool choices and actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly enables and demonstrates running shell tools (Bash), file Write/Edit operations, and permission modes like "acceptEdits" and "bypassPermissions" that auto-approve modifications, which could allow an agent to change the host filesystem or run privileged commands even though it doesn't explicitly instruct creating users or using sudo.