cm

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The list includes direct executable downloads and installer scripts from a personal GitHub repo (raw install.sh plus release binaries like .exe/.macOS/.linux), which — combined with a non well-known username — are high-risk for malware distribution even though many npm and CDN links are legitimate.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The repository contains several deliberate design choices that enable remote code/data transfer and remote control (notably an automatic remote-build offloader, an HTTP MCP server that can be bound to non-loopback hosts, and a curl|bash installer), plus agent policy text that enforces unconditional obedience—together these present high-risk patterns for data exfiltration, remote execution/backdoor abuse, and supply-chain exposure.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). The required runtime workflow for cm context "<task>" --json ingests cass search history snippets (including historySnippets[].snippet text) into the agent’s LLM context via the “Generator” stage, and those snippets can originate from outsider-authored agent sessions (other agents’ logs, i.e., non-user-authored text).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The repo includes installer commands that fetch-and-execute remote code at runtime (e.g. curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/cass_memory_system/main/install.sh | bash and curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash) and a git clone of https://github.com/Dicklesworthstone/cass_memory_system.git followed by build/run steps, which clearly download remote content that is executed during setup.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill documentation includes system-wide installation and maintenance commands (e.g., "sudo mv ./dist/cass-memory /usr/local/bin/cm", "install.sh --system", cron jobs, "cm doctor --fix", and server installation with non-loopback options) that instruct modifying system files and installing services which require elevated privileges or change machine state.