autonomous-agent-patterns

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains several high-risk patterns that enable intentional abuse—automatic file reads added to prompts, tools that can run shell commands (with shell=True), and an MCP create_tool flow that writes and hot-reloads LLM-generated Python code—collectively enabling easy data exfiltration and remote code execution if misused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests arbitrary URLs into agent context (sub-skills/51-context-injection-patterns.md add_url) and also browses and extracts page content/screenshots for LLM-driven actions (sub-skills/41-browser-tool-pattern.md and 4.2 VisualAgent), which are then fed into prompts and used to decide/carry out actions, enabling indirect prompt injection from untrusted third-party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The ContextManager.add_url method performs requests.get(url) at runtime and injects the fetched page content into the LLM prompt (i.e., any URL passed to ContextManager.add_url / requests.get(url) can directly control agent prompts), so URLs fetched via that call are high-risk.