openharmony-download

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The scripts are largely legitimate for downloading OpenHarmony, but they perform risky supply-chain actions (curl-downloading and executing a remote repo script, pip installing from a non-standard index, and using repo init with --no-repo-verify) that lack integrity checks and could enable malicious payload delivery.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill runs repo init/sync against public mirrors (e.g., https://gitcode.com/openharmony/manifest.git, https://gitee.com/openharmony/manifest.git, https://github.com/openharmony/manifest.git) and performs repo sync/repo forall/git lfs pulls, which fetch arbitrary, user-generated public repository content that the agent displays/consumes as part of the download/verification workflow (repo/init/sync and verification outputs), exposing it to indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The download script executes at runtime and will curl and install an external executable from https://raw.gitcode.com/gitcode-dev/repo/raw/main/repo-py3 (and also runs pip3 against https://repo.huaweicloud.com/repository/pypi/simple to install packages), which downloads and installs remote code that the skill depends on to proceed—so these URLs are runtime-fetched and can execute remote code.