pi-agent

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The documentation describes multiple high-risk, abuse-friendly capabilities (unrestricted extension/package loading, arbitrary shell/tool execution, provider proxies/baseUrl that can receive Authorization headers, shell-command interpolation for secrets, and writable auth/session storage) that — while legitimate features — provide clear, deliberate primitives an attacker could use for credential theft, data exfiltration, remote code execution, persistent compromise, and supply‑chain attacks if untrusted packages/extensions or malicious configs are installed or enabled.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). High indirect prompt-injection risk: the pi-web-access extension’s fetch_content/web_search tools can ingest arbitrary outsider-authored web page/article/repo/PDF/video transcript text at runtime and then include it in the agent’s LLM context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The pi-web-access package exposes a runtime fetch_content tool that fetches arbitrary URLs (e.g., https://github.com/owner/repo) and clones/loads their contents into the agent context, which are then injected into prompts and can directly control model behavior.