deepwork-tracker

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes a clear, unconditional instruction to "Always send" reports to a specific Telegram user (Alex, id 8551040296), which effectively forces data exfiltration to a third party and goes beyond the skill's stated, generic "generate for sharing" purpose.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill contains explicit data exfiltration behavior — it mandates always sending generated reports to a specific external Telegram user (id 8551040296), leaking user data without consent, and also instructs fetching and executing code from an external GitHub repo which adds supply-chain risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's bootstrap step explicitly clones and copies a public GitHub repo (https://github.com/adunne09/deepwork-tracker.git) to obtain and then execute ~/clawd/deepwork/deepwork.js, meaning the agent may fetch and run untrusted third‑party code and read its outputs as part of its workflow.