cso

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The skill embeds many non-audit operational directives (automatic telemetry/analytics writes, artifact syncs, repo-modifying commands like creating/committing CLAUDE.md or migrating vendored gstack, upgrade flows and prompts) that are outside the advertised "security audit / report only" purpose and some run without clear, explicit user consent, so these are hidden/deceptive instructions beyond the skill's stated scope.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Phase 8 (Skill Supply Chain) explicitly reads and greps SKILL.md files in .claude/skills (repo-local) and — with user approval — globally installed skill files outside the repo, which are untrusted third‑party/user‑generated prompt files the agent is required to read/interpret as part of the audit workflow and could contain prompt‑injection instructions that materially influence decisions or tool use.