authoring-plugins

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill content includes deliberate, high-risk behaviors: automatic self-modification/“self‑improvement” that runs without explicit user consent, Task/Planner invocations set to bypassPermissions and run_in_background, instructions to programmatically update user/home configuration and plugin metadata, and features that execute shell commands or scripts (!`command, bundled scripts, pdf-to-markdown) — together these provide clear vectors for privilege bypass, remote code execution, persistence, and covert data exfiltration or backdoor insertion.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests external web content (e.g., the mandatory "Step 0" fetch of https://code.claude.com/docs/ja/sub-agents and the CONVERTING.md workflow that accepts arbitrary URLs via curl/pandoc/WebFetch), and those fetched third‑party pages are read and used to decide updates, AskUserQuestion prompts, conversions, and downstream tool actions—exposing the agent to untrusted, user/public web content that can influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly requires fetching the official doc at runtime ("Step 0") — https://code.claude.com/docs/ja/sub-agents — via WebFetch and uses the fetched content to diff and update INSTRUCTIONS.md/agent prompts, so remote content directly controls prompts and is a required dependency.