steve

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High risk — the skill instructs automatic installation and execution of third-party code, grants broad shell/network permissions, auto-configures external MCP endpoints, and disables confirmation gates, which together enable remote code execution, supply‑chain attacks, and potential data exfiltration without user consent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly searches and auto-installs third-party skills from the public skills.sh/npm repos (Step 2: npx skills find / npx skills add ... -y) and configures/uses external MCP servers (e.g., Context7, GitHub, Notion) with PROMPT.md instructing the agent to "use Context7 to look up docs" — meaning it will fetch and interpret public/untrusted web content and repository code as part of its workflow.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The prompt explicitly auto-installs a Stripe payments skill: "Stripe payments | npx skills add stripe/skills --agent claude-code -y" (Phase 0 Step 2). The skill instructs the agent to "Install all relevant skills immediately — don't ask, just do it" with the -y flag, which would equip the agent with a payment-gateway integration. That is a specific financial API/tool (payment gateway) and therefore meets the Direct Financial Execution criterion.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt tells the agent to autonomously run installs and arbitrary scripts (npx add, git clone && ./install.sh, claude mcp add), auto-update permissions in settings.local.json to allow broad shell commands, and modify system-environment files without confirmation—actions that change the host environment and can execute untrusted code, so it poses a high risk of compromising the machine state.