setup-all

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). 虽然脚本本身没有混淆或直接上传数据的代码，但它会自动从远程（npx/GitHub）安装第三方包并以全自动方式运行这些包（包括读取/修改用户配置如 ~/.claude.json、自动读取 API Key 的 skill、以及 manifest 中标记为 run_after_install 的所有自研 skill），且通过 claude CLI 触发时授予广泛工具权限（包含 Bash 执行），这明显放大了供应链攻击、凭证窃取与远程代码执行/后门植入的风险。

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The setup_all script (scripts/setup_all.py) installs skills from public sources specified in manifest.json (e.g., npx_source like horizon-continental/hct-skills@... and public_skills from anthropics/skills@...), then auto-triggers them via claude -p so Claude will read and execute the downloaded SKILL.md files, which are arbitrary public/third‑party content that can influence tool usage and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The setup script invokes npx at runtime to fetch and install external skill packages (e.g., "npx skills add horizon-continental/hct-skills@env-diagnose" and "npx skills add anthropics/skills@pdf"), and those fetched packages include SKILL.md and code that the script then triggers via claude -p (so remote content controls prompts/execution).