huashu-agent-swarm

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.95). 该技能故意设计为“无限自治”Agent能在主机上执行任意bash命令、安装依赖、读写文件并推送到远端，并且提供一个无认证的Dashboard/HTTP接口（绑定0.0.0.0）和优先执行 HUMAN_INPUT.md 的通道，这组合明确允许远程命令注入、远程代码执行与潜在的数据泄露/后门行为，属于高风险可被滥用为后门或数据外泄工具。

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). Agents explicitly run git pull --rebase origin main (scripts/agent_loop.sh / start_swarm.sh) and read repository files such as HUMAN_INPUT.md and TASKS.md (dashboard.py, agent-prompt-template.md), and HUMAN_INPUT.md is explicitly prioritized and executed by agents—these repo contents can be updated by external/untrusted contributors, so third-party user-generated content can inject instructions that materially change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill runs git pull/push against the repository "origin" at runtime (the project's git remote URL) and then loads AGENT_PROMPT.md and executes repository code in agent worktrees, so a remote git URL (the configured origin repo) can directly control agent prompts and delivered code.