boost-modules

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The module system allows execution of arbitrary Python code with network access and access to environment variables/keys (e.g., HARBOR_BOOST_OPENAI_KEYS) and includes examples that fetch external URLs (requests.get), so while no obfuscated payloads or explicit backdoors appear, the design enables data exfiltration, credential theft, prompt-injection abuses, and remote-code actions if a malicious module is installed.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The "URL Reader" example scans user messages for arbitrary https:// URLs and calls requests.get(url).text to fetch page content and inject it into the prompt, which clearly ingests untrusted third-party web content and enables indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The "URL Reader" module uses requests.get to fetch arbitrary URLs matched by the regex https?://[^\s]+ at runtime and injects the fetched content directly into the LLM prompt, meaning remote content can control prompts and thus is a high-confidence runtime risk.