research

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill contains explicit instructions to write local files and upload them to an external Notion endpoint using an environment API key and to delete local traces — behavior that enables data exfiltration and potential credential exposure (high risk); no obfuscated payloads or active remote shell code were found, but the file-write/upload/delete workflow and requirement to read/use NOTION_API_KEY are dangerous.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Flagged: the skill explicitly requires "必须联网检索最新数据与新闻" and to include "所有数据源与链接" (i.e., fetching and ingesting public web news/data) so the agent will read/interprete open third‑party content as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). Flagged because the skill explicitly instructs the agent to write a file to a host path, execute a local Python script to upload it, and then delete the file—i.e., it directs the agent to modify the machine's filesystem and run commands, which changes host state and can execute arbitrary code.