canary

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The skill embeds many unrelated, side-effectful and potentially destructive instructions (telemetry prompts, creating/committing CLAUDE.md, git rm/commits, vendoring migration, artifact sync, installer execution, etc.) that are not required for a post-deploy canary monitor and thus act as hidden/deceptive directives outside the skill’s stated purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly drives the browse daemon to fetch and inspect arbitrary user-supplied/public web pages (see Phase 2/3/4/5: $B goto , $B links, $B snapshot, $B console, $B perf) and then reads/extracts page text/links and uses those results to trigger alerts and AskUserQuestion decisions, so untrusted third‑party content can influence agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's setup step will at runtime curl and execute the installer script from https://bun.sh/install (curl -fsSL "https://bun.sh/install" -o "$tmpfile" && bash "$tmpfile"), which fetches remote code and runs it as a required part of building the browse daemon—this is a high-confidence runtime remote-code-execution dependency.