autonomous-builder

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill content intentionally includes multiple autonomous, unattended-operation features that bypass user confirmations and automatically install/run external code (e.g., --dangerously-skip-permissions, auto-install via npx, auto-register/run custom MCP servers, and persistent supervisor scripts), plus automated remote pushes/screenshots/desktop control and dynamic plugin discovery — collectively these are high-risk primitives that enable remote code execution, persistence/backdoor behavior and covert data exfiltration if abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the agent to discover and invoke MCP tools that navigate and fetch arbitrary web pages and search the open web (e.g., mcp__puppeteer_navigate, brave-search/WebSearch/WebFetch, ToolSearch for "+playwright"/"context7") and to read/interpret that page/documentation content to guide implementation and tool selection, which clearly ingests untrusted third-party content that can influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly auto-installs and invokes remote MCP servers at runtime (e.g., "claude mcp add puppeteer -- npx -y @anthropic-ai/mcp-server-puppeteer"), which fetches and executes code from the npm registry during execution and is relied upon as a required dependency for MCP capabilities like browser automation, so it constitutes a runtime external dependency that can execute remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly encourages bypassing permission checks (e.g. --dangerously-skip-permissions), auto-installing MCP servers and system-wide tools, and running auto-restart/supervisor scripts and desktop-control tools which together push the agent toward performing system-level installs and unattended privileged actions that can compromise the host state.