coding-agent

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill instructs operators to run interactive coding agents with dangerous options (e.g., --yolo/no sandbox, elevated host execution), spawn persistent PTY-backed background sessions controllable via stdin/keys, and append external “wake” notifications — a combination that readily enables remote code execution, credential or data exfiltration, and supply-chain abuse if misused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs cloning and operating on public GitHub repos (e.g., "git clone https://github.com/user/repo.git $REVIEW_DIR") and running coding agents in those workdirs so the agent will read and act on untrusted, user-generated repository/PR content, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes a runtime git clone of https://github.com/user/repo.git followed immediately by running codex review in that cloned workdir, so externally fetched repository content is loaded into the agent's execution context and can directly influence prompts or lead to code execution.