dcg

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). This list is mixed — many benign official GitHub/crates.io and localhost/internal endpoints are present, but it also contains high‑risk entries (direct .sh/.tar.gz downloads from "evil.com", raw script URLs intended to be piped to shell, blob storage URLs, and generic/templated release-download links that can be abused or spoofed), so it represents a non-trivial malware distribution risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The repository includes explicit features that exfiltrate and execute user code remotely (RCH offload to external Contabo workers), a persistent/self‑healing hook installation capable of re-installing itself, and a network-facing MCP/server integration plus legacy install/update flows that fetch and run remote scripts — together these are high-risk patterns enabling data exfiltration, remote code execution, and persistence.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (medium risk: 0.65). The required runtime input to the hook is the agent’s PreToolUse JSON (specifically tool_input.command) read from stdin by dcg in the Claude Code hook path; this command string is authored by the operating user’s agent (an outsider relative to the user’s chosen text), so it can contain attacker-controlled free text that is then embedded into dcg’s denial JSON (and thus into the agent’s LLM-visible context via the hook response).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The docs include installation commands that fetch and immediately execute remote scripts (curl ... | bash) — e.g. https://raw.githubusercontent.com/Dicklesworthstone/destructive_command_guard/main/install.sh and https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh — which are runtime actions that execute remote code and therefore present a high-risk external dependency.