phantom-ai-coworker

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt shows the agent constructing and returning plaintext credentials/connection strings (e.g., returning connectionString from provisionDatabase and embedding it into dynamic tool handlers like handler: "postgres:${connectionString}" and shell commands with POSTGRES_PASSWORD), which requires the model to handle and may expose secret values verbatim in tool definitions/responses.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High risk: the skill intentionally includes features that can be abused as backdoors — dynamic runtime tool registration and execution (handlers that may be serialized or endpoint URLs), arbitrary shell/Docker exec on the VM (explicit execAsync usage) combined with mounting /var/run/docker.sock (host-level takeover), an MCP server exposing runtime tools to external LLM clients, public credential-collection endpoints that store sensitive secrets, and an autonomous self-evolution mechanism that can change behavior — together these enable data exfiltration, credential theft, remote code execution, and persistent compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the skill explicitly ingests and acts on arbitrary user-provided content via the Slack event handler (the slack.event('message', ...) flow shown in "Slack Channel Integration") and via the /webhook/message endpoint, and those messages are passed into the agent loop (runPhantomAgent) which can trigger tool use and infrastructure actions, enabling indirect prompt injection from untrusted third-party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly instructs fetching and running remote code (git clone https://github.com/ghostwright/phantom.git and curl https://raw.githubusercontent.com/ghostwright/phantom/main/... to obtain docker-compose/.env, plus pulling image ghostwright/phantom:latest) which will be executed at runtime and thus can directly control agent behavior and execute remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). Flagged because the prompt explicitly empowers the agent to run shell commands and Docker (including via /var/run/docker.sock and suggestions to use sudo), write to system paths, provision containers/services, register runtime tools and serve content — all actions that modify the host VM state and can require elevated privileges.