companion-offload

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs collecting environment variables (notably ANTHROPIC_API_KEY) into a file and rsyncing them to the remote sandbox, which requires reading and transmitting secret values verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). This is a direct shell installer URL (https://claude.ai/install.sh) that the prompt instructs to curl|sh — even if hosted on the likely-official claude.ai domain, piping and executing remote .sh files is inherently high-risk because it can run arbitrary code and be used to distribute malware; prefer verified package installs, inspect the script, and verify signatures before running.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill intentionally syncs local session data and environment variables (including API keys and .claude conversation history) to a remote sandbox and runs remote commands (including curl | sh installers and autonomous CLI runs with --dangerously-skip-permissions), which enables credential exfiltration, remote code execution, and supply-chain risk if the remote environment or installer is untrusted.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The offload script and skill runtime run a fetch-and-execute installer (curl -fsSL https://claude.ai/install.sh | sh) to install Claude Code (with an npm fallback), which downloads and executes remote code at runtime and is relied on if claude is not already present.