forge

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill design contains multiple high-risk, abuse-friendly capabilities — it creates persistent dynamic skills in the user's home that are allowed to run Bash, Read and Write, can invoke arbitrary user-installed skills (supply-chain risk), fetch arbitrary external links (possible data exfiltration/SSRF), probe localhost/dev servers (internal scanning), and explicitly removes its artifacts (rm -rf) which together enable remote-code-execution/backdoor and covert exfiltration if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The skill's Phase 3.2 "Resource Scanning" explicitly instructs the agent to visit and read arbitrary linked content (Confluence pages, GitHub PRs, Figma links, and "other links" via WebFetch) and states "MUST read the content from the link to understand what is required," meaning untrusted third-party/user-generated content is ingested and can materially influence planning and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches and reads the supplied JIRA ticket URL at runtime (e.g., https://yourcompany.atlassian.net/browse/PROJ-123) and also visits linked resources via WebFetch/GitHub/Confluence, and those fetched documents are injected into the generated context and used to build/drive prompts and the dynamic skill—so external content directly controls agent prompts.