cull

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.72). At runtime, Cull’s required workflow ingests outsider-authored free text from the local filesystem—specifically IDE/CI artifacts like .claude/setup.mjs, .vscode/tasks.json, and attacker-added .github/workflows/codeql_analysis.yml—which are read and then placed into the agent’s LLM context for classification/evidence (e.g., via the “SCAN” phase file inspection and evidence capture).

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly directs state-changing actions on the host — stopping LaunchAgents/systemd user units, quarantining and deleting files, and producing/issuing eradication/rotation steps — even though some actions are gated by "ask first", so it instructs the agent to modify the machine's processes and filesystem.