skillify

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill embeds many side-effecting governance and telemetry instructions (brain-sync, telemetry logging, routing injection, auto-upgrades, repo commits) and model-level rules that can auto-choose recommended options or auto-execute prompts (notably in spawned/plan-mode contexts), which are instructions that change agent/global behavior and can cause non-consensual actions outside the stated "codify a /scrape" purpose — this is a deceptive/overreaching instruction surface.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly performs live web fetches and saves untrusted page HTML (Step 4: "$B goto <TARGET_URL>" and "$B html" → fixtures/-.html) and then reads/parses that third‑party HTML in parseFromHtml and the generated tests/scripts (Steps 3–5), so public/user-generated content is ingested and used to synthesize code and decisions in the workflow.