coding-agent

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill contains explicit instructions to bypass agent sandboxing and permission checks (e.g., --yolo, --full-auto, --permission-mode bypassPermissions, elevated:true) and to run interactive background agents with host-level access and automatic commit/push behavior — a clear enabler for remote code execution, data exfiltration, and supply-chain/backdoor abuse if misused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to clone and operate on public GitHub repositories and PRs (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR" and the "Batch PR Reviews" / PR review examples), which are untrusted, user-generated third‑party content that the spawned coding agents will read and act on as part of their workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs use of flags that bypass permissions/ sandboxes (e.g. --permission-mode bypassPermissions, --yolo) and mentions running with "elevated" host access, which encourages disabling security boundaries and allows agents to modify the host state.