crabbox

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests external, user-generated content as part of its workflow (e.g., the --fresh-pr |URL|number flow that creates a fresh remote checkout of a GitHub PR and the desktop/webvnc --url options), so the agent will fetch and execute/interpret untrusted third-party pages/PRs which could carry indirect prompt-injection content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt includes explicit instructions that modify system-wide state (e.g., "sudo ln -sf "$PWD/" /usr/local/bin/"), install software, and persist files on remote boxes, which require sudo and can change the machine state.