maggy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit secret-like values (e.g., "export GITHUB_TOKEN=ghp_..." and "export ANTHROPIC_API_KEY=sk-ant-...") and shows them embedded in shell commands, which encourages the LLM to handle or reproduce secrets verbatim and creates an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). High risk: the skill intentionally disables permission prompts (claude -p --dangerously-skip-permissions), granting the spawned model full file write and shell execution inside target repos while ingesting issue-tracker content and local dotfiles and environment tokens—this design explicitly enables remote code execution, credential access/exfiltration, prompt-injection and supply‑chain abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). Flagged because the "Competitor Intelligence" section of SKILL.md explicitly states Maggy "monitors their RSS blogs + Google News daily," meaning it fetches and ingests public third-party web content (blogs/news) which the agent reads and uses to generate briefings that can influence decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches issue content from configured trackers (e.g., GitHub Issues via https://api.github.com) at runtime and injects that content into the Claude prompt while running with --dangerously-skip-permissions, so remote issue text can directly control the agent's actions and lead to arbitrary code execution in the target repo.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). Yes — the skill explicitly spawns Claude with --dangerously-skip-permissions, granting the agent full ability to write/edit files and run shell commands (bypassing permission prompts), which can modify the machine/repo state and therefore can compromise the host.