websh

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill intentionally routes fetched page content (and user-provided credentials/cookies) into background “haiku” subagents and automated crawlers, which creates a high-risk capability to transmit sensitive pages and tokens to external model/processors and to autonomously fetch and persist large amounts of data.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The required runtime workflow for cd/prefetch fetches outsider-authored public web pages (arbitrary URLs) and then feeds their extracted HTML/text into the haiku subagent via the extraction prompt, which becomes LLM-readable context (HTML → .parsed.md).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill explicitly spawns background haiku agents that fetch user-specified URLs (e.g., https://news.ycombinator.com and arbitrary URLs provided to cd/crawl/prefetch) and instructs those agents to read the fetched HTML and iteratively extract/parse it—i.e., remote page content is injected into the model's runtime context and can influence agent behavior.