use-slicer

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflows explicitly run networked installers and fetch public artifacts (e.g., "curl -sfL https://get.k3s.io | sh", installing via arkade, and pulling images from ghcr.io) and the agent is expected to execute commands and read VM output/logs, so untrusted third‑party content from the open web can be ingested and influence subsequent tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill contains an explicit runtime command that fetches and pipes a remote installer into a shell ("curl -sfL https://get.k3s.io | sh -"), which downloads and immediately executes remote code at runtime (https://get.k3s.io), satisfying the flag criteria.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs the agent to run host-level privileged actions (e.g., "sudo -E slicer up", reading /var/lib/slicer/auth/token via sudo, modifying network/CIDR, starting daemons) which require sudo and can alter the machine's system state, so it should be flagged.