agents-consilium

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs agents to read and echo raw context (pipe files) and to include verbatim and CDATA-wrapped agent responses in reports, so any secrets present in source or piped input would be output verbatim (exfiltration risk).

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The package intentionally subverts its claimed read-only guard for the OpenCode backend (opencode-query.sh passes --dangerously-skip-permissions) while running untrusted LLM-backed agents in the caller's working directory (with capability to read project files and call external APIs), which is a deliberate bypass that can enable secret exfiltration, write/exec escalation by backends, or remote code execution—this is a high-risk, backdoor-like design choice.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly allows agents to "use web search / fetch if their backend supports it" (see "Agent Freedom and Read-Only Guardrails" in SKILL.md) and the agent backends (Claude Code, OpenCode, Codex) are invoked without network fetch restrictions, so the agents can fetch and interpret arbitrary public web content which could influence their recommendations and tool actions.