steedos-plugin

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs writing the B6_PLUGIN_NPMRC content (which may contain an auth token like //npm.mycompany.com/:_authToken=TOKEN123) directly into plugins/.npmrc, which requires the agent to handle and potentially output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High risk: the system intentionally installs and executes arbitrary NPM packages specified via environment variables and writes a .npmrc (which may contain auth tokens), creating a straightforward vector for remote code execution, credential theft, post-install malicious scripts, typosquat/supply‑chain attacks, and backdoors.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill automatically installs and loads arbitrary NPM packages specified by the B6_PLUGIN_MODULES and B6_PLUGIN_PACKAGES environment variables (see "Install if changed — run npm install in plugins/" and "resolve B6_PLUGIN_MODULES packages → require dist/plugin.module.js"), which causes untrusted, third‑party code from public registries to be ingested and executed as part of runtime behavior and can materially change agent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill writes a custom .npmrc (e.g. https://npm.mycompany.com/) and runs npm install at startup to fetch NPM packages which are then require()'d (dist/plugin.module.js), meaning remote registry content is fetched at runtime and executed as code.