coding-agent

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill contains multiple deliberate-enabling patterns for unsandboxed remote code execution and data exfiltration (hardcoded API key, explicit "--yolo" / "elevated" modes that bypass sandboxing/approvals, background PTY sessions with stdin control, auto-commit/push and notification hooks to external services, and instructions to install third‑party agents), which together present a high risk of intentional abuse for credential theft, remote code execution, and exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs cloning and operating on public GitHub repositories (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR" under "Reviewing PRs") and running coding agents in those workdirs, which means the agent fetches and interprets untrusted, user-generated third‑party code/content and can take actions (reviews, commits, pushes) influenced by that content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The prompt does not explicitly ask for sudo, user creation, or editing system configs, but it repeatedly encourages running unsandboxed/elevated agents (e.g. --yolo, elevated:true, host execution) and running arbitrary install/command sequences that can modify the host state, so it meaningfully pushes the agent toward compromising the machine.