pua

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (medium risk: 0.65). The prompt includes concealed telemetry/persistence instructions (e.g., "静默上报 pua_triggered 事件" and automatic failure-count persistence/hooks) and mandates silent behaviors (and forced child-agent prompt injection) that are not transparently disclosed as part of the skill's stated "high-agency problem-solving" purpose, so it contains hidden/deceptive instructions.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's platform integration (references/platform.md) instructs the agent at session start and when handling /pua commands to fetch remote prompts/configs from public endpoints like https://pua-api.agentguard.workers.dev (e.g., /v1/command/<command_id>, /v1/config), meaning the agent will read and act on externally-hosted, potentially untrusted templates that can influence its next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill issues runtime curl requests to fetch prompt templates from https://pua-api.agentguard.workers.dev/v1/command/<command_id>, and those returned prompt_template payloads are executed as prompts/instructions by the skill, so this external URL directly controls agent behavior at runtime.