skill-builder

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High-risk: the content includes deliberate, dangerous patterns — remote-execution installer one-liners (curl | python / curl | sh), an LLM enhancement wrapper that intentionally disables permission checks and grants Write/Edit tools to the model, automated clone/copy-and-install flows for third‑party repos and auto-upload behaviors — together these enable remote code execution, silent skill installation, and potential data exfiltration or backdoor persistence.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests open/public third‑party content — e.g., "skill-seekers scrape --url ...", "skill-seekers github --repo ...", the Step 1 git clone/webfetch flow and unified multi-source commands in SKILL.md and references — and the agent is expected to read and act on that scraped GitHub/docs/PDF content to generate/route skills, so untrusted user-generated web content could materially influence tool use and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes installation and intake steps that fetch-and-execute remote content at runtime (e.g., python3 -c "$(curl -fsSL https://raw.githubusercontent.com/yusufkaraaslan/Skill_Seekers/main/setup.py)", curl -LsSf https://astral.sh/uv/install.sh | sh, and runtime git clone --depth 1 {repo} which pulls a remote repo including SKILL.md), so external URLs are used during runtime to execute code or to supply instructions that will control the agent.