subagent-engineering

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's documentation and required frontmatter guidance explicitly include and recommend web-research tools (WebFetch, WebSearch) for "Research (with web)" agents (see references/creation.md and references/spec.md) and even lists public external URLs in the reference-inventory.json, which shows the workflow expects fetching and interpreting open/public third-party content that could influence agent decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt explicitly documents a permissionMode: bypassPermissions option and discusses granting tools like Bash/Edit which would skip permission checks and allow unrestricted file writes/command execution, creating a clear pathway to compromise the machine if misused.