plan-deepen

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). This prompt instructs the agent to recursively read and return the full contents of many local/plugin files and to spawn subagents that must "return the skill's full output" without filtering, which can force verbatim exposure of any API keys or secrets found in those files — a clear exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill instructs unrestricted discovery and execution of local and third‑party skills/agents (ls/find/cat across ~/.claude, plugins, project dirs and installed_plugins.json) and to spawn and run all matched subagents in parallel, which creates high risk for data exfiltration, supply‑chain execution of arbitrary/hidden payloads, and credential or secret exposure.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill explicitly instructs agents to perform WebSearch and fetch external documentation/articles ("Use WebSearch for current best practices" and "Search for recent (2025-2026) articles, blog posts, and documentation" in the SKILL.md research steps) and to read and apply those third-party findings to plan decisions, so untrusted web content can directly influence tool use and next actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). It directs the agent to recursively discover and then execute every skill/agent found on the filesystem (following each skill's instructions exactly and with no filtering or permission checks), which enables those discovered skills to perform arbitrary state-changing actions (file edits, service changes, sudo requests, user creation, etc.).