tampermonkey

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill content is a comprehensive, dual‑use Tampermonkey userscript guide that includes multiple explicit, high‑risk primitives and examples (unsafeWindow.eval, GM_addElement bypassing CSP, GM_xmlHttpRequest/@connect, GM_cookie listing/backup/restore, @grant none/@connect *, webRequest interception, dynamic script injection, cookie manipulation, and examples that encourage broad @match/@connect) which can be directly leveraged for data exfiltration, credential theft, remote code execution and other backdoor behaviors if used maliciously.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's documentation and required workflow explicitly instruct fetching and ingesting arbitrary third-party content (e.g., @require and @resource URLs in SKILL.md, GM_xmlhttpRequest/GM.xmlHttpRequest examples in http-requests.md and api-async.md, and unsafeWindow/DOM scraping in api-dom-ui.md), so the agent would read untrusted web pages/resources and act on them, allowing indirect prompt-injection via those external sources.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly shows @require examples that fetch and execute remote JavaScript at userscript runtime (for example: https://code.jquery.com/jquery-3.6.0.min.js), which is a runtime external dependency that would execute remote code if used in a userscript.