managed-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md "Create" step explicitly allows adding mcpServers with arbitrary URLs and installing packages (pip/npm/apt/etc.) into the managed cloud environment, meaning the cloud agent can fetch and ingest untrusted public URLs and package content which the agent will read via the session events and can materially influence subsequent tool use and decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly exposes managed cloud containers where the agent can run arbitrary commands, install packages (including apt), provide init scripts, and access the filesystem—capabilities that allow modifying system files, installing software, or creating accounts even if the prompt does not explicitly instruct those actions.