yolo

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). This skill intentionally provisions an environment to run Claude Code with --dangerously-skip-permissions (fully autonomous, unattended access) and copies plugin assets into the project while granting containerized access to mounted volumes and allowed external endpoints (Anthropic, GitHub, npm, etc.), creating a high risk of data exfiltration and abuse even though there is no obfuscated payload or explicit reverse-shell/backdoor code present.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The devcontainer's Dockerfile fetches and executes remote artifacts at build time (e.g., wget "https://github.com/deluan/zsh-in-docker/releases/download/…/zsh-in-docker.sh" | sh and wget "https://github.com/dandavison/delta/releases/download/…/git-delta_… .deb" followed by dpkg -i), so these external GitHub URLs are used during runtime to execute remote code and are required for the container setup.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs creating and modifying system/stateful artifacts (scaffolding .devcontainer files, copying plugin files), starting the Docker daemon with sudo, granting NET_ADMIN/NET_RAW capabilities, configuring a firewall script with sudo, and launching Claude with --dangerously-skip-permissions (giving full in-container control and access to mounted credentials), which together request elevated privileges and enable broad changes to the host/container environment and potential security bypasses.