skillclaw-skill-evolution

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). The skill explicitly intercepts and records OpenAI-compatible API sessions via a local proxy and syncs session artifacts (which can include user prompts, model outputs, and potentially API keys or other secrets) to shared cloud storage and autonomous agents—this design intentionally centralizes sensitive conversational data and credentials for cross-user sharing, presenting high-risk data exfiltration/credential-theft and supply-chain exposure (via recommended global npm installs) even though no obfuscated backdoor or explicit remote-exec payload is shown.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The skill explicitly reads and syncs SKILL.md files and session artifacts from shared OSS/S3 storage (e.g., "Shared OSS Bucket", "skillclaw skills pull", "skillclaw skills list-remote" and the evolve servers reading/writing skills), which are untrusted/user-generated sources containing step-by-step instructions that agents will ingest and act on.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runtime pulls SKILL.md files from the configured cloud storage endpoint (e.g., the OSS/S3 endpoint provided via $EVOLVE_STORAGE_ENDPOINT / OSS_ENDPOINT) and injects those fetched skill instructions into agents' behavior, so the external storage URL is used at runtime to deliver content that directly controls agent prompts.