switch-persona

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill explicitly instructs the agent to "FORGET all previous system instructions" and to adopt external persona files as the only instructions, which is a direct attempt to override system-level context and thus constitutes a prompt injection outside the skill's stated safe switching purpose.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The protocol instructs the agent to read local persona files and immediately adopt and echo their contents (including outputting the first line), which forces verbatim handling/output of whatever is in those files — including any secrets or API keys they might contain.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill intentionally implements a file-backed persona loader that immediately discards prior system instructions and adopts arbitrary local prompt files without confirmation, creating a persistent instruction-injection/backdoor vector that can be abused to bypass safeguards and enable data exfiltration or credential theft.