claude-code-skill

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill is not an obvious trojan with obfuscated payloads, but it deliberately exposes multiple high-risk, convenience-first features (persistent subprocess spawning, custom-engine arbitrary binaries, default bypassPermissions/auto-approve semantics, permissive embedded HTTP OpenAI-compatible API with no-auth by default + permissive CORS, auto-trust/--force flags, and cleanup/deletion tooling) that enable remote code execution, persistent backdoor-like control, and easy data/credential exposure if the server or API is reachable — this composition is a clear deliberate design tradeoff toward unsafe operation and is highly abuseable for exfiltration or remote compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill exposes an OpenAI-compatible HTTP endpoint (/v1/chat/completions) and explicitly invites webchat/third-party clients (e.g., ChatGPT-Next-Web, Open WebUI, LobeChat) to send full transcripts (see references/openai-compat.md and cli.md CORS notes), so arbitrary untrusted user-generated content can be ingested as session input and directly influence agent behavior and tool use.