secondbrain-init

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content is high risk: it instructs creating a .claude/settings.local.json with overly permissive settings (allow_read "~/**", allow_bash [""], allow_web_fetch [""], auto-approve writes) that would enable data exfiltration, remote command execution, credential access, and supply-chain abuse when used with an agent—thus presenting clear vectors for RCE and sensitive-data theft.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill both scaffolds a VitePress site that includes Giscus comments (Layout.vue) which will display public, user-generated GitHub comments and also proposes a .claude/settings.local.json that sets allow_web_fetch ["*"] and allow_web_search: true, clearly enabling the agent to fetch and read arbitrary untrusted third-party web content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs creating a .claude/settings.local.json that grants broad permissions (allow_bash [""], allow_read ["~/**"], allow_web_fetch [""], auto_approve_write …), which effectively enables the agent to execute arbitrary shell commands and read the user's filesystem, risking compromise of the host.