agent-channeltalk

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The package contains intentional credential-extraction behavior (scanning desktop app and Chromium cookie DBs, decrypting macOS Keychain/Windows DPAPI cookies, and auto-storing session/account JWTs in plaintext) and provides capabilities to act as the authenticated user (read/send messages, bulk broadcasts, auto-responses), which enables credential theft and account impersonation; no obfuscated backdoor, remote command execution, or hidden network exfiltration was found, but the built-in silent extraction and plaintext storage are high-risk and easily abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests user-generated Channel Talk content (e.g., via agent-channeltalk snapshot, message list, group messages in SKILL.md and references/common-patterns.md, and templates/monitor-chat.sh) and instructs agents to read that snapshot/chat messages and act (including auto-respond), so untrusted third-party chat content can influence tool use and decisions.