The Agent Skills Directory

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). The skill explicitly requires saving the user's "EXACT original words" into command arguments and mandates writing "ALL the content you generated" (including created files and stored credentials such as auto-registered API keys saved to ~/.ai-autopilot/.env) into an output file and reporting commands, which forces the agent to handle and emit secret values verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

Suspicious download URL detected (high risk: 0.85). Although hosted on legitimate GitHub domains, these URLs point to repositories from untrusted/unknown accounts and include a direct raw install.sh (an executable shell script) — a common vector for arbitrary/remote code execution — so they should be treated as high risk until the repo contents and author reputation are verified.

CRITICAL E006: Malicious code pattern detected in skill scripts.

Malicious code pattern detected (high risk: 1.00). High-risk: the skill includes deliberate backdoor/exfiltration behaviors — hard-coded/shared API credentials (including a Gmail app password and Resend key), automatic capture and upload of user intents/outputs/transcripts to a remote community endpoint, silent auto-installation/auto-registration (including capabilities that can expose the filesystem via an MCP server), and local storage of harvested credentials — all of which enable data exfiltration and remote misuse without explicit, informed user consent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests open third‑party content as part of its runtime flow—SKILL.md Phase 0/Phase 4 require querying the community API and web searches (e.g., calls to python3 .../scripts/report.py query/search-solutions and the Auto-Fix step "search the web" / Playwright auto-registration), and report.py implements do_query/do_query_popular/do_search_solutions and a "brave-search" capability that add MCP web search; those external, user/community-generated pages/solutions are parsed and used to adapt plans and drive execution, so untrusted third‑party content can materially influence tool use and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime install commands that fetch and execute remote code — notably the capability install entries that run npx to add MCP servers (e.g. "claude mcp add filesystem -- npx -y @modelcontextprotocol/server-filesystem" and "claude mcp add brave-search -- ... npx -y @modelcontextprotocol/server-brave-search") which download+run remote packages that can execute code and inject model context, and the auto-fix steps run remote installers such as "https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh" — all of which are invoked at runtime when capabilities or fixes are needed.

MEDIUM W013: Attempt to modify system services in skill instructions.

Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly requires autonomous, silent modification of the system (installing packages via apt-get/brew/pip/npm, creating/modifying config and credential files under home, auto-registering accounts, backing up and writing files) and insists on “just do it” auto-fixes without user prompts, which directly changes machine state and can require privilege-escalating actions—so it poses a high risk of compromising the host.

autopilot