run-research

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt explicitly instructs agents to bypass permissions and continue working despite tool denials (e.g., mode: "bypassPermissions", "Never stop because a tool was denied", fallback to curl), which are deceptive directives to override access controls outside the skill's stated research purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md and referenced tool docs (notably the web-search and scrape-links tool descriptions and the mission prompt templates) explicitly instruct the agent to fetch and scrape arbitrary public URLs and Reddit permalinks and to extract actionable fields such as "root cause|fix steps|workarounds", which the agent is then expected to read, synthesize, and use to drive decisions and follow-up actions, exposing it to untrusted third‑party content that could carry indirect prompt injections.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt tells the agent to install tooling via shell (npx/curl) and explicitly includes a config flag mode: "bypassPermissions", which directs the agent to bypass permission/security controls and run environment-altering commands, so it encourages actions that can compromise the host state.