ddd-aggregate

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill contains explicit remote-execution and telemetry hooks (npx @claude-flow/cli) plus commands that write to an external hierarchical/memory store and a "--train-neural true" flag, which together present high risk for supply‑chain remote code execution and unintended data exfiltration/backdoor behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill invokes npx @claude-flow/cli@latest at runtime for pre- and post-task hooks (e.g., "npx @claude-flow/cli@latest hooks pre-task ..." and "npx @claude-flow/cli@latest hooks post-task ..."), which fetches and executes remote package code during execution, so it is a runtime external dependency that can control behavior.