quota-reporter

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This package implements deliberate credential exfiltration and remote-controlled credential rotation: it reads local Codex/Claude credentials (including keychain-stored OAuth blobs), uploads those auth blobs to a remote "auth-pool" endpoint, stores a personal auth-pool token locally, installs persistent schedulers (cron/launchd/Windows Task) to run every 15 minutes, and can fetch and overwrite local credentials from the cloud — enabling unauthorized data exfiltration, persistence, and remote replacement of local credentials.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly contacts a third-party "auth-pool" service (auth_pool_url shown in SKILL.md and default in scripts like scripts/install_quota_guard.py and scripts/quota_guard.py) and calls endpoints such as /api/auth/fetch-best (implemented in scripts/fetch_best_codex_auth.py and quota_reporters.fetch_best_auth) to download user-provided auth_json which the agent then writes into local auth files and uses—allowing untrusted, user-generated content from the hub to influence credential installation and subsequent tool behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs installing persistent components (a reboot‑safe 15‑minute scheduler), writing and replacing local auth files (e.g. ~/.agents/auth/*, ~/.codex/auth.json, ~/.claude/settings.json), and storing personal/company tokens locally and automatically fetching/installing credentials—actions that modify the machine's state and store sensitive secrets even though it doesn't explicitly request sudo.