agentic-workflow

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). High risk: the URL is a direct link to an install.sh shell script — piping or running remote .sh files is a common malware distribution pattern and should be treated as suspicious unless the domain (claude.ai) is independently verified and the script contents reviewed.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md explicitly instructs using MCP servers for web crawling and browsing (e.g., "5. Using MCP servers" lists Firecrawl: Web crawling and Playwright: Control web browser and includes ask-gemini/large-scale analysis examples), which means the agent is expected to fetch and analyze public/untrusted web content that could materially influence its subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The Dockerfile includes a runtime install command "RUN curl -fsSL https://claude.ai/install.sh | sh", which fetches and immediately executes remote code from https://claude.ai/install.sh, satisfying the criteria for a required external dependency that executes remote code.