moai

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). The skill contains multiple high-risk orchestration features — dynamic generation of agent/skill artifacts, spawning teammates that inherit injected API keys via tmux, and delegating read/write/exec-capable agents to external LLM/GLM endpoints — which create clear supply‑chain, data‑exfiltration and backdoor attack surfaces (secrets/credentials, code, and git history can be sent to third‑party models and dynamically generated agents can be written and later executed).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The Brain workflow (workflows/brain.md, Phase 3: Research) explicitly requires parallel WebSearch and Context7 calls to gather public web research, and those untrusted web results are consumed and used to drive later decisions (proposal/spec generation and handoff), which could allow indirect prompt injection from third-party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly injects ANTHROPIC_BASE_URL=https://api.z.ai/api/anthropic into tmux session envs and describes spawning GLM teammates that call the Z.AI/Anthropic API at runtime (CG/GLM team modes), so runtime requests to that URL execute remote model inference which directly drives agent prompts/behavior.