naga-config

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to GET the full system configuration (which includes api.api_key and other secrets) and then POST back the complete configuration object, forcing the LLM to include secret values verbatim in generated requests and responses.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill exposes multiple high-risk abuse vectors: it allows adding MCP services that run arbitrary external packages/commands (npx) enabling remote code execution and supply-chain attacks, adding SSE/URL endpoints or services that can exfiltrate data, creating/importing custom skills that are injected into the system prompt (a persistent backdoor for covert instructions), and reading/writing the full system config (including API keys) which facilitates credential theft and covert data extraction.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md explicitly instructs using the built-in online_search/clawdbot to search the open web (npm, GitHub, arbitrary URLs) to find and import MCP tools and to POST user-provided skill Markdown into skills/{name}/SKILL.md (which is then loaded into system prompts), so the agent will fetch and ingest untrusted third‑party content that can change tools and system behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill allows adding MCP services that are executed at runtime (e.g., running remote code via "npx -y @mcp/server-name") and connecting to remote SSE endpoints (example "https://mcp-server.example.com/sse"), which would fetch/execute remote code or stream instructions that can directly control agent behavior.