office-hours

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The skill purports to only run "office hours" and produce design docs, but it embeds numerous explicit system-level actions (git commits, file writes, telemetry uploads, package installs, codex/agent runs, remote syncs, and automatic routing/upgrade flows) that would mutate the environment or exfiltrate data — behavior outside and conflicting with the stated "do NOT start implementation" scope, so it's deceptive.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly runs WebSearch and instructs the agent to "read the top 2-3 results" as part of Phase 2.75 ("I'd like to search for what the world thinks...") and Phase 3.5 (Codex with web_search_cached), meaning it fetches and ingests public web content that can influence decisions in the workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's SETUP step conditionally downloads and executes a remote install script (curl -fsSL "https://bun.sh/install" -o "$tmpfile" ... BUN_VERSION="$BUN_VERSION" bash "$tmpfile"), so https://bun.sh/install is fetched at runtime and runs remote code.