deepen-plan

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.85). The prompt explicitly instructs the agent to indiscriminately discover, read, and run ALL skills/agents and to cat arbitrary files across project and user/plugin directories (including ~/.claude and installed_plugins.json), which goes well beyond "enhance a plan" and creates a hidden/excessive exfiltration/override risk outside the skill's stated purpose.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt requires the agent to read and return the full contents of many local files, plugin configs, SKILL.md and other discovered artifacts (and to spawn sub-agents that must “return the skill's full output”), which can force the LLM to include any secrets present in those files verbatim — a high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill instructs exhaustive local and plugin discovery (ls/find/cat of ~/.claude, installed_plugins.json, docs/, etc.) and to spawn unlimited sub-agents that must “execute” discovered skills and return full outputs with no filtering or safeguards—this grants broad access to potentially sensitive files, enables secret harvesting and arbitrary code execution via third-party skills, and therefore poses a high risk of data exfiltration, RCE/backdoor injection, and supply-chain compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly instructs agents to fetch and interpret open-web content—e.g., "Use WebSearch for current best practices" and Context7 mcp queries for documentation ("Search for recent (2024-2026) articles, blog posts, and documentation")—so it will ingest arbitrary third-party web content (blogs, public docs) that could carry indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). This prompt explicitly instructs the agent to discover and blindly spawn and "execute the skill completely" for every found skill/agent (no filtering), which could cause the agent to run skills that request sudo, modify system files, or create user accounts — so it poses a high risk of compromising machine state.