automated-assessment

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The code contains no obvious hidden backdoor, but the checkpoint runner intentionally executes user-provided shell commands (including python/php) from untrusted checkpoint files with only superficial whitelist checks, which enables remote code execution, data-exfiltration, and supply‑chain abuse if a malicious skill or checkpoint is provided.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The runner (scripts/run-checkpoints.sh) explicitly fetches remote GitHub content via gh api (see expand_follow_uses / gh_api handlers that retrieve owner_repo/.github/workflows/@ and other repo API endpoints) and those fetched files are incorporated as evidence that LLM review agents consume when making checkpoint decisions, exposing the agent to untrusted, public third-party content.