reverse-claude

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill (Module 2 in SKILL.md) explicitly loads markdown-based plugins from marketplaces (background git pulls / refreshMarketplace), walks plugin directories to parse SKILL.md frontmatter and content, and then substitutes/hydrates that content (including running executeShellCommandsInPrompt) into prompts — meaning arbitrary third‑party plugin/markdown content fetched from public repos can be read and executed by the agent and thus can inject instructions that influence tool use and next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill contains runtime auto-update logic that performs git pulls of plugin/marketplace repositories and the plugin loader directly loads markdown files into prompts (which are then subject to executeShellCommandsInPrompt), so remote GitHub-hosted content such as https://raw.githubusercontent.com/skillcreatorai/reverse-claude/main/SKILL.md (and repository refs like anthropics/claude-code-plugins) can be fetched at runtime and directly control prompts or trigger shell execution.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs executing shell commands (executeShellCommandsInPrompt), installing plugins and writing config/skill files (including system-level paths like /etc/claude-code/managed-settings.json), and defines hooks that run arbitrary shell commands — all of which enable modifying the host filesystem and runtime state and can be used to change privileged/system configuration.