deepen-plan

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt instructs the agent to recursively read and "return" full contents of many local files (SKILL.md, installed_plugins.json, learning .md files, plugin/agent directories, etc.) and to spawn sub-agents that must "return the skill's full output," which effectively requires including verbatim file contents (and thus any secrets those files might contain) in the agent outputs — creating a high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill contains deliberate, high-risk orchestration instructions—recursively discovering and reading project and user files (including ~/.claude and plugin caches), parsing installed_plugins.json, and spawning/fully executing every discovered skill/agent in parallel—behavior that enables unauthorized local data access, credential exposure, arbitrary code execution, and supply-chain abuse (i.e., clear backdoor/exfiltration and RCE-enabling patterns).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to "Use WebSearch for current best practices" and to query external docs via Context7 (mcp__plugin_compound-engineering_context7__query-docs) and spawn research agents to fetch articles/blogs, which means it will ingest untrusted public web content and act on it as part of its workflow.