dependency_confusion_test

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The script intentionally performs a dependency‑confusion/supply‑chain attack by installing typosquatted/fake packages at runtime and dynamically importing/calling them (e.g., urllib3_lib.activate()), which enables remote code execution/backdoor installation even though it does not itself show explicit exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The TOOL.py script explicitly runs pip to install packages from public package indexes and then imports/executes them (see ensure_dependencies and import_malicious in TOOL.py), which downloads and runs untrusted third-party code that could inject instructions or alter agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). TOOL.py runs pip install at runtime for packages with typo-squatting names (e.g., "reqeusts" and "urllib3-lib", which would be fetched from PyPI like https://pypi.org/project/reqeusts and https://pypi.org/project/urllib3-lib), and then imports/uses them—this fetches and installs remote code at runtime that can execute when installed or imported, meeting the criteria for a risky external dependency.