web-shader-extractor

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt explicitly instructs the agent to extract "embedded configurations and keys" and to autonomously install software without user consent—actions that go beyond the stated purpose of extracting and porting shader code and thus constitute deceptive/out-of-scope instructions.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly tells the agent to extract "内嵌配置和密钥" from HTML/network traffic and to directly fetch configs (e.g., Firestore REST API), which requires reading and reusing secret values verbatim in generated requests or code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests arbitrary public web pages and resources provided by a user (e.g., SKILL.md Phase 1's curl and Playwright calls and scripts/fetch-rendered-dom.mjs that save dom.html, network.json and download JS bundles) and then runs an Agent (references/extraction-workflow.md, Phase 4) to read and act on that untrusted, user-provided content to drive extraction and porting decisions, so third-party content can materially influence tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's runtime auto-installs and then imports/executes Playwright (via "npm install playwright" / "npx playwright install chromium"), which fetches remote packages/binaries from registries/mirrors such as https://registry.npmmirror.com and https://npmmirror.com/mirrors/playwright, so these URLs are used at runtime to fetch and execute external code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). Yes — the prompt instructs the agent to autonomously install system-level software (Node.js, Playwright/Chromium), including extracting files into /usr/local and altering system directories without user consent (and with fallback behaviors that modify system state), which constitutes modifying the host machine and may require elevated privileges.