claude-code-account-risk

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). 尽管技能声称禁止“绕封号/代理池/IP 轮换”等规避风控，但文中明确给出用住宅 IP 服务在 VPS 上套一层以让 Anthropic 看到“干净 ISP 出口”的具体可操作做法，属于隐含/自相矛盾的规避指令，超出并违背技能声明的目的。

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). 虽然大多数代码只是做本地风险评估和路由/egress 探测，但该 skill 明确包含可执行、具体的「将 VPS 出口套一层住宅 IP（如 lisahost/BrightData/Oxylabs）以让 Anthropic 看到干净 ISP 出口并规避 datacenter 信号」的操作建议，并提供探测脚本来验证该绕过效果——这构成明确的封禁/地区限制规避（ban-evasion）指导，即便代码本身没有后门或数据外泄逻辑。

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's required workflow (SKILL.md step "检查网络") instructs running scripts (scripts/egress_consensus_probe.sh and scripts/domain_route_probe.sh) that curl public endpoints (e.g., api.ipify.org, ipinfo.io, ifconfig.co, ipwho.is) and arbitrary domain responses (api.anthropic.com) and then uses those responses to drive the risk scoring and recommendations, meaning untrusted public web content is ingested and can materially influence agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The README instructs Claude Code to git clone and install the skill from https://github.com/voidborne-d/claude-code-account-risk-skill, which is a runtime fetch of remote code that will be executed by the agent (install/skill code), so this URL constitutes an external runtime dependency that executes remote code.