use-other-model

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). 包含明确指令“绕过嵌套检查: unset CLAUDECODE”，这在引导如何规避平台/安全检查，属于越权/规避保护的命令，与技能声称的“在保证质量和安全前提下优化 token”目的不一致，构成隐藏/欺骗性指示。

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill tells the agent to "向用户索要 API 配置" and to generate/launch scripts (execute-task.sh) that may contain API keys (and even instructs deleting scripts that contain API keys), which implies the agent will collect and embed secret values verbatim into files/commands — an exfiltration risk despite recommendations to prefer env vars.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill intentionally documents safety bypasses (unset CLAUDECODE, --dangerously-skip-permissions), background/independent child sessions, and explicit extraction/embedding of API keys and proxy base URLs—patterns that enable credential exposure, remote code execution, and covert delegation/exfiltration, so it presents high abuse/backdoor risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's required workflows explicitly call MCP web tools (e.g., mcp__MiniMax__web_search in references/method-a-mcp-tools.md) and instruct launching independent child sessions using user-provided ANTHROPIC_BASE_URL/API credentials (references/method-b-independent-session.md and environment-variables.md), so the agent will fetch and read untrusted public/third‑party content (web search results and external model outputs) that can directly influence tool use and subsequent actions.