deepen-plan

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs the agent to read and return the full contents of many local files and plugin/config directories (SKILL.md, installed_plugins.json, plugin caches, agent/skill files, docs, etc.) and to "return the skill's full output", which can require echoing any embedded API keys, tokens, or secrets verbatim—creating a direct exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill aggressively instructs unrestricted discovery and execution of all local and plugin-provided skills/agents (including reading ~/.claude, plugin caches, installed_plugins.json and project files) and to spawn unfiltered sub-agents that "return full output" — a pattern that enables easy data exfiltration (sensitive files/credentials), supply-chain code execution (running untrusted plugin code), and remote code execution/backdoor escalation, so it represents a high-risk backdoor/enabler rather than a benign automation.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly instructs the agent to use WebSearch and Context7 to fetch recent (2024-2026) articles/blogs and to ingest external documentation ("Use WebSearch for current best practices" and mcp__plugin_compound-engineering_context7__query-docs) so it will read and act on untrusted public web content as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs the agent to discover and run every available skill/agent unfiltered and to "execute the skill completely," including running arbitrary commands and writing files from many system and plugin locations, which could cause privilege escalation or system-level modifications (e.g., creating users, editing system/service or SSH configs) if any invoked skill performs such actions.