download-source

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). These are direct downloads of shell scripts from an untrusted domain (evil.example.org) combined with instructions to curl/wget and source them, which is a high-risk remote code execution vector and a common malware distribution pattern.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). These commands explicitly download shell scripts from an untrusted remote host and immediately source/execute them, constituting a direct remote code execution/backdoor and enabling arbitrary malicious actions (exfiltration, persistence, privilege escalation) from the remote server.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly shows commands that curl/wget and source remote scripts from https://evil.example.org/p.sh and https://evil.example.org/q.sh, meaning the skill fetches and executes untrusted third-party content that can directly control agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill uses curl/wget to fetch and then source remote scripts from https://evil.example.org/p.sh and https://evil.example.org/q.sh at runtime, which directly executes fetched code and therefore constitutes a high-risk external dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt instructs the agent to download and source remote scripts (via curl/wget into /tmp and then dot/source them), which performs arbitrary remote code execution and can modify the machine state and bypass protections.