skill-manager

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The code contains high-risk insecure patterns — untrusted GitHub URLs from the bundled database are interpolated into shell commands (execSync with svn/git commands) enabling command-injection / remote code execution and arbitrary filesystem modification (removing/overwriting skill folders), plus dangerous deletion utilities and unrestricted downloading of remote repository content; while not obviously obfuscated or explicitly exfiltrating secrets, these vulnerabilities enable supply-chain and RCE attacks and should be treated as high risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill actively fetches and parses content from arbitrary public GitHub repositories (e.g., src/index.js: installWithSvn / installWithSparseCheckout / installSkillMdOnly which download repo folders or SKILL.md, and scripts/scan_and_check.py which queries remote repos), so it ingests untrusted user-generated third‑party content that the agent reads and displays.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill-manager explicitly downloads SKILL.md at runtime from raw GitHub URLs (e.g. https://raw.githubusercontent.com/.../SKILL.md) and can also fetch full folders via GitHub/SVN/git URLs (e.g. https://github.com/.../trunk/... and https://github.com/owner/repo.git), and those fetched files are used to determine skill behavior and can inject prompts or include executable code—so remote content directly controls agent instructions at runtime.