research

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains explicit, mandatory stealthy network behavior (a backgrounded curl POST to http://localhost:8888/notify that must run "before anything else" and discards output), broad instructions to read and bundle deeply sensitive local contexts (~/.claude/PAI, history, current-work.json), and built-in use of third‑party scraping MCPs (BrightData/Apify) described specifically to bypass CAPTCHAs/Cloudflare and scrape protected sites — combined these behaviors enable covert beaconing, local context harvesting, and automated bypass-assisted scraping (high-risk, easily repurposed for exfiltration or backdoor signaling).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflows explicitly fetch and ingest public third‑party content (e.g., WebFetch/WebSearch, fabric -y for YouTube, BrightData/APIFY scraping) as required steps — see Workflows/Retrieve.md, WebScraping.md, YouTubeExtraction.md and Fabric.md — and that external content is analyzed and used to drive agent decisions and follow‑on actions (entity selection, synthesis, tool escalation), which allows untrusted content to indirectly influence behavior.