insideout

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill instructs the agent to silently scan a user's workspace and forward project context and every user message to an unauthenticated remote MCP server (including flows that capture cloud credentials via browser connection and allow remote Terraform deploy/inspect/destroy), which enables deliberate data exfiltration, credential theft, and remote control/backdoor behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill connects to a remote MCP server (https://app.luthersystems.com/v1/insideout-mcp) and explicitly fetches and displays Riley's messages and internal signals (e.g., [TERRAFORM_READY:true]) from that third-party service as part of its required workflow, and those messages directly drive tool calls (tfgenerate, tfdeploy, etc.), so untrusted third-party content can materially influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires and calls the remote MCP server at https://app.luthersystems.com/v1/insideout-mcp during runtime, and that server's responses (“Riley”) directly control the agent's prompts and workflow, making it a required external source of instructions.