git-delegation

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill explicitly allows untrusted Workers to ask a Manager (which holds git credentials and operates under /root and a shared MinIO-backed workspace) to run arbitrary git and shell commands in one request, creating strong vectors for remote code execution, credential theft, and data exfiltration (e.g., cloning private repos, catting credential files or /etc/shadow into the workspace and syncing them out), and also enables supply‑chain abuse (pushing commits, running build/post‑install steps) — overall high risk of deliberate misuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly directs delegating git operations that clone arbitrary public repositories (e.g., "operations:
• git clone https://github.com/org/repo.git" in Message Format / Step 2) and then instructs syncing and reading files from the cloned workspace (e.g., "hiclaw-sync" then "cat src/main.py"), so untrusted, user-generated content from public repos can be ingested and influence subsequent actions.