plan-feature

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes explicit, deceptive execution directives (e.g., "Delete debug logs", "Leave ALL changes UNSTAGED") that are unrelated to writing a plan and attempt to steer/cover up subsequent execution—instructions outside the skill's stated planning purpose.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This content contains explicit, repeated instructions to hide and avoid audit (write plans only to hidden files, never print them, require execution agents to delete debug logs and leave all code changes unstaged/no git commits), which strongly facilitates stealthy, hard-to-audit code modifications and could be used to install backdoors or make unauthorized changes even though it doesn't include an explicit payload or exfiltration code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's required workflow (Phase 3: "External Research" and TASKS/TESTING sections such as "Relevant Documentation — READ BEFORE IMPLEMENTING", "External Service Setup & Verification", and "Third-Party Service Validation" with Playwright/fetch examples) explicitly instructs the agent to fetch and read external public API docs, third‑party dashboards, and open web endpoints, so untrusted third‑party content can influence decisions and tool use.