update-services

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content deliberately instructs users to disclose their sudo password in chat and shows how to store and reuse it (echoing into sudo), and it also advises running a remote install script via curl | sh and modifying systemd units—patterns that enable credential theft, remote code execution, and supply-chain compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs fetching and executing content from public third-party sites (e.g., "echo "$SUDO_PASS" | sudo -S curl -fsSL https://ollama.com/install.sh | sh" in references/update-ollama.md and "docker pull ghcr.io/open-webui/open-webui:main" in references/update-open-webui.md), so it consumes untrusted open-web content as part of the required update workflow which could introduce external instructions that materially affect subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly runs remote code at runtime (curl -fsSL https://ollama.com/install.sh | sh) and pulls/runs a Docker image from ghcr.io/open-webui/open-webui:main, both of which fetch and execute external content the skill relies on.