cortex-code

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly allows Cortex to fetch and act on web content — e.g., RESEARCH envelope = "read access plus web tools" in SKILL.md/README and the Cortex CLI reference lists a web_fetch tool — and the workflow supports headless/programmatic execution (--input-format stream-json / auto/envelope_only modes) so untrusted third‑party web content could be ingested and influence subsequent tool calls.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly enables programmatic auto-approval of tool calls and describes a "DEPLOY" envelope that grants full access (including sudo and destructive operations) and invokes CLI tools and Bash commands, which facilitates the agent performing privileged or state-changing actions on the host.