deepen-plan

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt instructs the agent to recursively read and "return the skill's full output" from many local files (SKILL.md, installed_plugins.json, docs, plugin dirs) and to spawn sub-agents that echo file contents without any redaction, so any API keys, tokens, or secrets present in those files could be output verbatim and exfiltrated.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill explicitly instructs exhaustive discovery and execution of all local and plugin skills/agents (including reading hidden user/plugin directories and installed_plugins.json) and to spawn unfiltered parallel sub-agents, a pattern that enables data exfiltration, remote code execution, credential leakage, and supply‑chain compromise—an intentional high-risk/abusive behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly instructs agents to "Use WebSearch" and "Search for recent (2024-2026) articles, blog posts, and documentation" (see "Use WebSearch for current best practices" in SKILL.md), meaning the agent will fetch and interpret open web third‑party content (blogs/docs) that can influence plan decisions and actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt instructs the agent to discover and spawn every available skill/agent and to "follow the skill's instructions exactly" and "execute the skill completely" with no filtering, which enables running untrusted skills that may request sudo, modify system files, or create accounts and thus can compromise the machine state.