worker-dispatch

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill contains high-risk patterns: it explicitly runs codex exec with a "--dangerously-bypass-approvals-and-sandbox" flag (allowing arbitrary/unrestricted execution), spawns background worker processes that can be granted network-capable tools (WebFetch/WebSearch and various mcp__* tools), and posts/reads structured data to GitHub—together enabling remote code execution and potential data exfiltration of repo or environment secrets even though no explicit obfuscation is present.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and injects user-generated GitHub content (issue titles, bodies, and comments via gh issue view and gh api/gh issue comment, and allows WebFetch/WebSearch) into worker prompts (see construct_worker_prompt and spawn_replacement_worker), so untrusted third-party issue/comments could supply indirect prompt injections.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill issues a runtime GitHub API call (gh api "/repos/$OWNER/$REPO/issues/$issue/comments") to fetch handover comments which are then injected into construct_worker_prompt, so externally-stored content from the GitHub API can directly control the worker prompt.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly runs worker processes with "codex exec --dangerously-bypass-approvals-and-sandbox" and grants broad tools (Bash, Edit, Write) enabling arbitrary commands outside normal sandboxing, which is a directive to bypass security controls even though it doesn't explicitly request sudo or create users.