websh

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill design contains high-risk autonomous data-exfiltration and credential-theft vectors: it instructs background "haiku" subagents (remote LLM workers) to read raw fetched HTML and local state and run iterative extraction on many pages (and queued crawls), while also providing explicit cookie/header import/export and profile storage—together these enable sending sensitive page content, session cookies, and auth tokens to external model endpoints without explicit user consent and can be used to schedule persistent exfiltration tasks.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches arbitrary public URLs and user-generated sites (e.g., SKILL.md and the cd flow), iteratively reads and parses that HTML into .websh/cache/{slug}.parsed.md (state/cache.md and the Extraction Prompt), and then uses that parsed content to drive actions like eager prefetching and spawning fetch/extract tasks (state/crawl.md), so untrusted third‑party page content can materially influence subsequent tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill spawns background haiku agents that fetch and read remote pages (e.g., https://news.ycombinator.com) and feed the raw HTML into iterative extraction prompts, so runtime-fetched page content is injected into the model prompt and can directly influence agent behavior.