724-office-ai-agent

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill is not overtly malware but intentionally includes multiple high-risk capabilities—runtime tool creation with hot-loading, an in-process exec tool, an HTTP server bound to 0.0.0.0, MCP plugin loading (including arbitrary HTTP/stdio endpoints), a scheduler that persists and runs jobs, and an auto-spawning Docker router—which together provide clear, deliberate vectors for remote code execution, persistence, and data exfiltration if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests untrusted user-generated content and third-party tool outputs — e.g., session memories are retrieved and injected into the system prompt (Three-Layer Memory + "memory_block" injection) and external MCP/plugins and web-fetching tools (tools.get_schema(), fetch_weather, xiaowang.py media download) are executed and appended to the conversation in the Tool-Use Loop, so remote or user-provided content can influence subsequent actions.