civitai-analyst

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains a hard-coded external MCP server endpoint and instructs use of an environment bearer token plus arbitrary SQL execution against production records (including prompts, inferred prompts, descriptions, and other PII/NSFW metadata), which creates a clear data-exfiltration and supply-chain risk even though there is no obvious obfuscated backdoor or remote code execution in the content itself.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill runs SQL queries against a civitai_records database (e.g., references/queries/content-theme-analysis.sql, tag-performance.sql, etc.) and ingests user-generated post fields such as va.description, va.inferred_prompt, va.tags and civitai.civitai_posts content—sourced from the public Civitai site (links like https://civitai.com/images/{id}) via the external MCP server configured in .mcp.json—so the agent will read untrusted third‑party/user-generated content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill calls an external MCP server at runtime (configured in .mcp.json) — https://n8n-ock80s0oowgc4cws8g0o48sk.18.191.220.185.sslip.io/mcp/8fe59958-c0d9-4777-847c-0887913c84fc — to execute SQL (remote execution of code/queries) and this endpoint is a required runtime dependency, so it represents a high-risk external execution point.