docs-management

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). The skill content contains multiple operational patterns that enable autonomous network access, arbitrary script execution, and privileged local actions (automatic parallel live webfetch via a mandated subagent, delegation to general-purpose Task agents to run foreground scripts, a dev-mode env var that redirects filesystem roots, installable Desktop Extensions/MCP servers that execute bundled code, and explicit examples using a --dangerously-skip-permissions loop), any of which can be abused for data exfiltration, credential theft, remote code execution, or supply‑chain/backdoor attacks—so while the material appears legitimate for doc management, these design/usage patterns present high-risk abuse/backdoor potential.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's mandatory workflows and scripts explicitly fetch and ingest public web documentation (e.g., the required claude-code-guide WebFetch of https://code.claude.com/docs/en/claude_code_docs_map.md, scrape_all_sources.py driven by references/sources.json and sitemap parsing) and instruct the agent to read and synthesize those remote pages, so untrusted live web content can influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's mandatory hybrid pattern instructs the main agent to invoke claude-code-guide with the explicit runtime instruction "First WebFetch https://code.claude.com/docs/en/claude_code_docs_map.md ..." so that URL is fetched at runtime and its fetched content is used to control the subagent's prompts/behavior.