release-publish

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill mandates automatically fetching and applying remote rules (compose-agentsmd pulling from a GitHub HEAD source), running that tool every session, auto-regenerating/staging/pushing AGENTS.md, installing global npm tools, and committing persistent task state — together these create a high-risk supply-chain/backdoor vector that could be used to inject arbitrary instructions, execute commands, push changes, or exfiltrate data if the upstream rule repo or tool distribution is compromised.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md requires post-publish verification that directly queries and runs packages from public registries (e.g., npm view <pkg> version and npx <pkg>@latest --version), which ingests and executes untrusted, user-published content from the open npm registry as part of its required workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires running compose-agentsmd at session start and references a remote ruleset source (e.g., github:metyatech/agent-rules@HEAD — see Source: github:metyatech/agent-rules@HEAD/rules/global/agent-rules-composition.md) which will be fetched at runtime to generate AGENTS.md and thus directly control agent instructions, so this is a runtime external dependency that affects prompts.