listenhub

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). Yes — the prompt instructs the agent to "handle automatically — never ask the user" and to silently run auto-install and auto-login commands, which are deceptive hidden behaviors outside the router's stated routing purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md routing table explicitly maps a "parse URL" / "extract content" intent to a /content-parser skill, which indicates the agent will accept arbitrary URLs and delegate to a content-parsing workflow that ingests third-party web content (open/public/untrusted) as part of its required routing instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's prerequisites require auto-installing and running an external CLI ("npm install -g @marswave/listenhub-cli" and subsequent listenhub commands), which fetches and executes remote code at runtime (npm registry), so this is a required runtime external dependency that can execute code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill instructs the agent to automatically install a global CLI (npm install -g) and perform an auto-login, which require modifying the host system and may involve elevated privileges, so it pushes the agent to change the machine state.