autonomous-agent-patterns

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes tools (ReadFileTool, ContextManager.add_file/add_folder, format_for_prompt, and ReadFileTool outputs) that unconditionally read file contents into the agent's prompt/history and return them as outputs, which can expose secrets and cause the LLM to include secret values verbatim in generated outputs.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). This content is not overt malware but includes several high-risk patterns that enable deliberate abuse: automatic permission for file reads (easy data exfiltration), dynamic code generation + writing + hot-reload of MCP servers (remote code execution / backdoor creation), use of shell=True and unsanitized subprocess calls, and tools that return raw page screenshots/contexts that can leak sensitive data.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). Yes — SKILL.md explicitly fetches and ingests arbitrary web content (e.g., ContextManager.add_url uses requests.get to add URL content, BrowserTool.open_url/get_page_content load and return page text/screenshots, and VisualAgent.describe_page/find_and_click send page content/screenshots to the LLM), so untrusted third‑party webpages can directly influence agent decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The ContextManager.add_url method fetches arbitrary external pages at runtime via requests.get(url) and appends that content into the agent's prompt (flagged: any URL passed to ContextManager.add_url / requests.get(url)), allowing remote content to directly control instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill defines and encourages tools that read/write/edit arbitrary filesystem paths, execute shell commands, and generate/install executable MCP servers (including writing and hot-reloading code), while its safeguards (permission levels, sandbox) are incomplete or optional—so it can be used to modify system files, create services/users, or run privileged actions that compromise the host.