create-beads-orchestration

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This package contains multiple high-risk supply-chain and remote-execution patterns: it automatically fetches external agent templates and writes them into .claude/agents while mandating frontmatter "tools: *" (granting full tool/MCP access), invokes external CLIs/providers (codex/gemini) with potentially sensitive prompts, and runs remote install scripts (curl | bash) — together these enable remote code execution, data leakage, and backdoor/supply-chain abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The Discovery agent explicitly uses WebFetch to fetch specialist agent definitions from an external public repository (e.g., "WebFetch(url="https://github.com/ayush-that/sub-agents.directory\")" in templates/agents/discovery.md) and then reads and injects that fetched markdown into supervisors, meaning the agent will ingest and interpret untrusted third‑party content from the open web.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The discovery agent uses WebFetch at runtime to pull specialist agent definitions from https://github.com/ayush-that/sub-agents.directory, and those fetched markdown agent files are (mandatorily) injected into supervisors—directly influencing agent prompts/tools and execution behavior.