oracle

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The code intentionally reads and decrypts Chrome cookies (including ChatGPT session tokens) and writes them to a local file, and it invokes a remote npm package via npx — patterns that enable credential theft and supply‑chain abuse even if intended for automation.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly loads and interacts with a configurable external ChatGPT URL (chatgptUrl in ~/.turbo/config.json and the scripts/run_oracle.py that passes --chatgpt-url to the oracle browser engine, plus refresh_cookies.py calling https://chatgpt.com/api/auth/session), so it fetches and ingests third-party web-hosted responses that the agent is expected to read and act on, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). High-confidence: scripts/run_oracle.py invokes npx -y @steipete/oracle at runtime (which fetches and executes remote npm package code), and it also forwards the externally-configurable chatgptUrl (default https://chatgpt.com/) to that runtime, so remote code execution and external prompt/control are possible.