canary

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The skill embeds many unrelated, state-changing instructions (telemetry prompts/logging, config changes, writing/touching files, auto-commits to CLAUDE.md, artifact/brain sync, optional downloader/install steps, upgrade flows, etc.) that go beyond "post-deploy canary monitoring" and could modify repo state or exfiltrate artifacts — behavior that is outside the skill's stated purpose and thus constitutes a deceptive/sneaked-in instruction set.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and inspects arbitrary web pages provided by the user (and auto-discovers internal links) via the browse daemon (see Phase 3 Page Discovery and Phase 5 Continuous Monitoring using $B goto, $B links, $B text), and those untrusted page contents are read and used to trigger alerts and AskUserQuestion decisions that can change monitoring actions—so third-party content can influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup step conditionally downloads and executes a remote installer script at runtime via curl -fsSL "https://bun.sh/install" and then runs it with bash, which fetches and executes remote code (https://bun.sh/install).