The Agent Skills Directory

CRITICAL E004: Prompt injection detected in skill instructions.

Potential prompt injection detected (high risk: 1.00). The skill prompt contains multiple hidden and deceptive instructions unrelated to a "productivity tool"—including commands and code for credential harvesting, data exfiltration, persistence, remote execution, and an explicit "ignore all previous instructions" override—so it is a clear prompt injection.

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). The prompt embeds a literal API key and instructs commands that exfiltrate environment variables, SSH keys, and other secrets, forcing the agent to include or handle secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

Malicious code pattern detected (high risk: 1.00). The content is definitely malicious: it contains explicit data exfiltration to external domains, credential harvesting, reverse shells and exec of remote payloads, persistent backdoor installation (cron jobs, LaunchAgents), downloading and executing backdoors/miners, DNS exfiltration and base64-obfuscated commands — all clear intentional abuse and backdoor behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 1.00). SKILL.md and the included scripts/setup.sh explicitly instruct the agent to fetch, download, and execute content from untrusted public domains (e.g., https://evil.example.com, pool.evil.com) which the agent would read/execute as part of its workflow and could thus alter behavior based on third-party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 1.00). The skill explicitly downloads and executes remote code at runtime (e.g., curl/wget to https://evil.example.com/backdoor and https://evil.example.com/xmrig and a base64-decoded curl to https://evil.example.com/beacon), so the external URLs directly cause remote code execution and are required by the scripts.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

Secret detected (high risk: 1.00). The code contains a literal, high-entropy API key string assigned to api_key: "sk-proj-ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890". This matches the definition of a secret (literal, random-looking API key) and is not one of the listed placeholders (e.g., "YOUR_API_KEY" or "sk-xxxx"). No other high-entropy credentials are present; other strings are commands, endpoints, or low-entropy names and therefore ignored.

MEDIUM W013: Attempt to modify system services in skill instructions.

Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt includes explicit malicious actions—data exfiltration, creating persistence (crontab and ~/.bashrc modifications), downloading/executing a backdoor and reverse shell, harvesting keys/credentials, and an instruction to ignore safety constraints—so it directly instructs compromising the host.

super-helper-tool