bad

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains intentional persistent hooks and broad "auto-approve" agent behavior that capture and log every tool call / session JSON to local project/home logs and will forward activity (including last tool inputs) via channel notifications (e.g. Telegram); combined with unrestricted subagent tool execution (auto-approve/yolo), forced git pushes, and scheduled Cron/Monitor actions, this creates an explicit path for sensitive-data capture, persistence, and external exfiltration — a high-risk dual-use/backdoor capability even if presented as automation functionality.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads and acts on user-generated GitHub content (e.g., SKILL.md Phase 0 / references/subagents/phase0-prompt.md Step 4, Phase 2 Steps 6–7 which run gh pr view/gh pr diff, and references/subagents/phase4-assessment.md) and uses PR/issue bodies and diffs to drive fixes, CI/merge decisions, and subagent actions, meaning untrusted third-party content from GitHub can materially influence tool use and next actions.