start-app

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt explicitly instructs modifying the agent's Claude Code permissions to auto-approve a broad set of Bash commands (bypassing permission prompts and expanding execution privileges), which alters agent security beyond simply detecting/starting a local app.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill contains an explicit "Bypass Permission Mode" that instructs the user to auto-approve a broad allowlist of shell commands (cat/ls/grep, node/python/npm/pip/ruby/./gradlew and many more), which deliberately disables interactive permission prompts and effectively grants the skill arbitrary command execution, file-reading, and package-installation capabilities—this is a backdoor-style pattern that enables remote code execution and supply-chain/data-exfiltration risks.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs the agent to bypass the Claude Code permission prompts by writing/merging an auto-approve permissions file (.claude/settings.local.json), effectively disabling the agent's security prompt protections and enabling arbitrary shell commands, which is a direct security bypass of the host environment.