knowledge-absorber

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High-risk design: the skill explicitly instructs injecting external file contents into the system prompt (prompt-injection backdoor) and to run shell/file operations (RunCommand/Write) using generated names (Title) without sanitization, enabling remote influence, command-injection/RCE and persistence when combined with attacker-controlled input; additional risky elements (headless Chromium with --no-sandbox, ability to fetch arbitrary URLs and write files) increase abuse potential.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). This skill's content_ingester.py clearly fetches arbitrary public URLs (via requests and DrissionPage) and writes cleaned page text to config/raw_content.txt, and SKILL.md explicitly requires the agent to read raw_content.txt and use it to choose modes and generate/write output files, so untrusted third-party webpage content is read and can materially influence generation and subsequent actions.