opencli

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This content intentionally provides capabilities to reuse logged-in Chrome sessions, extract cookies/CSRF tokens (e.g. ct0), auto-discover/auto-approve extension connection tokens, install interceptors to capture XHR/fetch responses, and perform authenticated actions (follow/unfollow/comment), all of which directly enable credential harvesting and sensitive data exfiltration and thus present a high risk for abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required AI agent workflow (see CLI-EXPLORER.md and SKILL.md) explicitly instructs the agent to open arbitrary public websites via Playwright (browser_navigate, browser_evaluate, browser_network_requests, installInterceptor, tap, etc.) and to fetch/parse page-mounted data (e.g., INITIAL_STATE, intercepted JSON, API responses from sites like Twitter/X, Reddit, Zhihu, Bilibili, Xiaohongshu), meaning untrusted user-generated third‑party content is ingested and used to drive subsequent tool actions and adapter-generation decisions.