ship

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.70). The skill includes deceptive/onboarding instructions outside the core "ship" purpose — e.g., it promises telemetry will not include repo names while its preamble explicitly logs the repo basename and it contains numerous side-effects (auto-creating/committing CLAUDE.md, telemetry uploads, artifact sync prompts) that go beyond the stated ship workflow.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Step 4 "Test Framework Bootstrap" explicitly tells the agent to "Use WebSearch to find current best practices" (Step 4 → B2) and then to pick and install a test framework and CI based on those search results, so it will fetch and interpret open/public web content whose instructions can materially change tool actions (framework/CI selection and generated files).