orchestrator-implementation

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content does not contain an explicit payload or obfuscated malware, but it includes multiple high-risk capabilities that can be (and easily abused to be) turned into backdoors or data-exfiltration/RCE vectors (unrestricted subprocess execution of local plugin scripts, silent background learning that can collect and transmit fingerprints, automatic scanning of home/config plugin paths, and starting background web servers with no strict host binding), so the implementation demonstrates high intentional-abuse potential.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill accepts arbitrary http(s) URLs via parse_web_validation_args and invokes the lib/web_validator.py handler for the /validate:web command (part of the required command workflow), which means the agent will fetch and process untrusted third‑party webpages that can influence tool actions (e.g., --auto-fix), exposing it to indirect prompt injection.