plan-execute

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill contains high-risk operational directives — read-any-file without limits, use CLIs to fetch tickets/settings, enumerate plugins/agents, and (critically) commit and push "ALL outstanding changes" without filtering and open auto-merge PRs — which, while not containing explicit eval/remote-shell code, creates a clear and intentional avenue for data exfiltration, credential leakage, and supply-chain/remote-code modifications.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly requires reading ticket content from external third-party sources (Jira, Linear, GitHub) including comments and metadata—untrusted, user-generated content the agent will interpret and use to drive planning and actions.