ln-1000-pipeline-orchestrator

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill contains multiple deliberate abuse-ready patterns: it instructs changing runtime permissions to "bypassPermissions", installs keep-alive hooks and background scripts to prevent termination and persist agent activity, spawns privileged agent teams/tasks with bypassPermissions, and includes force-clean rm -rf commands that can delete local Claude runtime data — together these enable elevated, persistent, hard-to-stop agent activity and destructive cleanup (a backdoor/persistence and destructive capability), even though there is no explicit external exfiltration endpoint defined.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill directly ingests and parses user-managed project content—specifically auto-discovering and parsing docs/tasks/kanban_board.md or calling the Linear API (Phase 1 step 1) and reading the project's CLAUDE.md—and re-reads the kanban/Linear state after each stage to decide routing, spawn workers, and drive actions, so untrusted user-generated kanban/issue content can materially influence agent decisions and tool use.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt instructs altering local/system state (copying hooks, writing .pipeline and .claude settings, force-deleting ~/.claude data) and explicitly directs bypassing security mechanisms (setting defaultMode="bypassPermissions" and using PowerShell -ExecutionPolicy Bypass), so it pushes the agent to compromise the machine state even though it does not request sudo or create users.