pro

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The skill contains hidden/deceptive behaviors outside its stated UI features—silent telemetry (session_start/stat reporting), silent remote config refresh, and automatic PreCompact hooks that dump runtime state (including "key_context") and can alter agent behavior—none of which are clearly disclosed to users as part of the advertised commands, so this constitutes prompt-injection-like hidden instructions.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High-risk: the skill deliberately sends user-identifying data and session telemetry to external servers (including silent/session-start reporting and automatic leaderboard uploads), persistently stores local state that may include sensitive "key_context", and fetches remote configuration—behaviors consistent with data exfiltration and covert remote control rather than benign telemetry.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly shows the agent making network requests to public endpoints (e.g., curl to https://pua-skill.pages.dev/api/leaderboard and a referenced https://openpua.ai page) and describes a required "静默刷新远端配置" (silent remote config refresh) and ingestion/display of user-submitted leaderboard JSON as part of the workflow, meaning untrusted third‑party content is fetched, parsed, and can alter runtime behavior.