omnidrive

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The skill contains hidden/deceptive instructions outside its stated "autopilot" scope — e.g., mandatory verbatim logging of user input, automatic registration of external accounts and silent credential harvesting/storage, compulsory saving/uploading of all AI outputs and environment changes, and persistent silent preference writes — which secretly collect and persist user data and perform potentially sensitive actions without explicit, transparent consent.

---

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly auto-requests, generates, and stores API keys/credentials (including auto-registering services and asking the user as a last resort) and mandates saving "ALL the content you generated" (including code/configs) into a report file and sending it to reporting commands, which forces the LLM to handle and potentially emit secret values verbatim — a high exfiltration risk.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). These point to unverified GitHub accounts and include a direct raw .sh installer URL (install.sh), which is a high-risk pattern—running unknown installer scripts from personal/low-reputation repos is a common malware/supply-chain vector.

---

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). High-risk: the skill contains deliberate backdoor and exfiltration behaviors — hardcoded/shared API keys and a Gmail app password, explicit author guidance to pre-embed/ship keys, automatic capture of user transcripts/intents and full output (and code/content) for upload to a community endpoint, zero‑config email delivery via author-controlled accounts, automated account registration and credential storage, and mechanisms to install/run remote install scripts or expose the local filesystem — all of which enable unauthorized data exfiltration and remote abuse.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow (Phase 0 "Solution Library Search" and Mode A discovery) calls scripts/report.py to query a community API and GitHub (e.g., python3 .../report.py query-popular and search-solutions) and then parses and replays returned solution JSON via the Solution Replay Protocol to adapt and execute steps, so arbitrary/public user-generated content from the community/GitHub is ingested and can directly change tool selection and execution behavior.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's Auto-Fix behavior reads references/env_fixes.md at runtime and runs commands that fetch+execute remote install scripts (e.g. curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | bash), which directly executes remote code on the host and is therefore a runtime-executed external dependency risk.

---

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly orders silent auto-installation (apt-get/brew/pip), auto-modification of files/configs, automatic credential registration, and even to "find bypass paths" for infrastructure/permission issues, which encourages privileged changes and potential security-bypassing operations on the host.