managed-agent

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill exposes high-risk capabilities (arbitrary command execution in a cloud container, unrestricted network egress to user-specified endpoints including mcpServers, installable packages/init scripts, persistent filesystem and transcripts, and reliance on an environment API key) that are not themselves malicious but can be trivially abused for data exfiltration, credential theft, remote code execution/backdoors, and persistence.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill accepts user-supplied mcpServers URL endpoints (mcpServers: [{type:"url", url, ...}]) that the managed Anthropic agent will reach at runtime to invoke tools on those remote MCP servers, which can execute code and directly affect the agent's behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill provisions and controls a persistent cloud container and explicitly allows running initScripts, installing packages (apt/pip/etc.), and executing arbitrary shell commands (and supplying reachable MCP servers), which lets the agent modify filesystem, install services, or otherwise change the machine state.