council

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt includes explicit agent instructions like mode="bypassPermissions" (and similar spawn-time directives) that direct teammates to circumvent platform permissions and perform privileged actions unrelated to the advertised deliberation purpose, which is a deceptive/out-of-scope instruction.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The design deliberately instructs spawning persistent teammates with "bypassPermissions", granting them file and shell access and background external-LM calls (codex/dev-scan), which creates clear avenues for data exfiltration, credential exposure, and remote command execution if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly launches a "community-scanner" dev-scan agent in Phase 2 that searches developer communities (Reddit, HN, dev blogs) and returns community_sentiment which is incorporated into step-back summaries, external data sections, and the Tradeoff Map—thereby ingesting untrusted, user-generated third‑party content that can influence decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs spawning agents with mode="bypassPermissions", running arbitrary Bash/CLI commands, and managing agent teams/background execs—directly encouraging permission bypass and actions that can modify system state or evade security controls.