afk

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill intentionally bypasses model sandboxes and sends repository content to external LLM runners while autonomously committing, merging, and pushing LLM-generated code into main (including the ability to modify CI/workflows), which creates high-probability vectors for data exfiltration, credential exposure to third-party models, and supply-chain/backdoor insertion; these are deliberate, high-risk design choices.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). /afk fetches GitHub issue bodies and triage comments via gh issue list / gh issue view (scripts/afk.sh write_drop) and writes them into .red/tmp/drop-*.md which the inner agent runners (runner-claude/runner-codex) are explicitly instructed in AGENT-PROMPT.md to "Read it first" and treat as authoritative, so untrusted user-generated GitHub content can directly drive the agent's decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill runs git fetch origin/main at runtime and includes the recent commits from main in the $full_prompt sent to the inner agents (claude/codex), meaning the repository origin remote (e.g. git@github.com:org/repo.git) is fetched at runtime and its content can directly influence the agent prompt and subsequent code actions.