team

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). High risk: the skill intentionally and silently preloads local persona files ("/Users/nke/.claude/personas/*.md") before any user interaction and hides that activity ("Loading personas..."), creating a concealed local-data access pathway that — combined with permitted web_search/mcp__exa tool calls — could be used to exfiltrate sensitive information; no explicit eval/remote-shell code was found, but the deliberate concealment of file reads is a backdoor-like privacy/exfiltration pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly requires using web_search (and mcp__exa) to cite technical claims during Phase 3 (see SKILL.md "Cite all technical claims using exa or web search" and references/team-config.yaml's p3_team_discussion allow list), so it ingests public web content that could contain untrusted/user-generated instructions and materially influence the team's analysis and next actions.