remembering

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill intentionally materializes and installs executable "utility-code" from memories, auto-loads credentials from env files, and exposes subprocess/HTTP GitHub and DB APIs—features that create a clear remote code execution / supply-chain backdoor and a straightforward data-exfiltration vector if an attacker can write to the Turso memory store or insert crafted utility memories.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly exposes the agent to untrusted, user-generated content via network APIs and utilities — e.g., the exported github_api/detect_github_access functions (scripts/boot.py and scripts/init.py) and listed utilities (github_pages.py, whtwnd.py, tangled.py, wisp_deploy.py, margin.py shown in _ARCH.md and references/advanced-operations.md) that interact with public GitHub and social/AT-protocol sites, and these are surfaced in SKILL.md and references/CLAUDE.md as part of the normal boot/workflow and examples.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill fetches runtime code and utility modules from its Turso database at https://assistant-memory-oaustegard.aws-us-east-1.turso.io (utility-code memories are materialized to /home/claude/muninn_utils/ and imported at boot), so remote content from that URL is retrieved at runtime and can execute code/control agent behavior.