env-patch

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly instructs retrieving "real values" from the browser (via evaluate_script) and patching them into run.js, which directs copying runtime values (which can include tokens/keys/cookies) verbatim into generated code, creating a high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This toolkit purposefully enables executing downloaded/obfuscated browser JS inside Node while hiding Node characteristics, spoofing native functions, hooking/evaluating dynamic code (eval/Function/vm.runInThisContext) and tracing/storage hooks to extract signing/behavior — there is no explicit built-in data exfiltration or command-and-control, but the capabilities to evade detection and run arbitrary third‑party code make it high-risk and readily abused for credentialed-request automation or other illicit uses.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow and references (SKILL.md and references/dynamic-loading.md) explicitly instruct fetching arbitrary JS from external URLs (curl examples like https://cdn.example.com/sdk/xxxxx.js and API endpoints) and loading/executing that code in Node (vm.runInThisContext / require), which clearly ingests untrusted, user-provided third-party content that can alter runtime behavior.