basalt-cortex

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows and instructs embedding API keys/tokens in command lines (e.g., ANTHROPIC_API_KEY=sk-... in a cron job and "curl with token" for Slack), which requires including secrets verbatim in generated commands/scripts and poses an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains explicit, high-risk data-collection and automatic sync behaviors (mining Gmail/Drive/Slack/local files/MCP servers and auto-uploading them to basaltcortex.com / external services, plus daemon/cron persistence), which enable mass private-data exfiltration and persistent background export; there is no obvious obfuscated backdoor or RCE code, but the described architecture and defaults present a clear deliberate exfiltration capability and persistent data-leak vector.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly mines and ingests untrusted third-party content — e.g., Gmail, Google Chat, Slack, Google Drive and arbitrary web pages via WebFetch/Playwright (see SKILL.md "Mine Mode" source list and references/source-patterns.md) and instructs Claude to read/interpret those threads/pages as part of its extraction workflow (see references/extraction-prompt.md), so external content can materially influence agent outputs/actions.