evaluating-with-promptfoo

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content documents an offensive, dual-use red‑teaming toolkit with multiple explicit features that enable intentional abuse: data‑exfiltration plugins and poisoned‑RAG tooling, jailbreak/prompt‑injection strategies, HTTP/custom providers that can send environment secrets to arbitrary endpoints, arbitrary JS/Python hooks/assertions and file:// providers that allow remote code execution, and an MCP server/CI integrations that can be abused as a remote execution/backdoor vector.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's documentation (INSTRUCTIONS.md and references/PROVIDERS.md) explicitly supports ingesting external, arbitrary HTTP endpoints (providers with config.url), Google Sheets and other external data sources, and RAG/context extraction plus red-team strategies like "indirect-web-pwn" and "indirect-prompt-injection" — all of which indicate the agent will read and act on untrusted third-party content that can alter subsequent transforms, assertions, and test flows.