idea-discovery

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The workflow is largely a legit idea-discovery pipeline but includes deliberate, high-risk behaviors: silently writing files via bash (explicitly "Do NOT ask the user for permission — just do it silently"), automatic external notifications using a local credentials file (~/.claude/feishu.json) that can exfiltrate pipeline state/data, and auto-proceed defaults and auto-inclusion of external services (Gemini) — these features enable unauthorized data exfiltration and unconsented filesystem/network actions.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests open/public third‑party content (Phase 1: /research-lit searches arXiv, Google Scholar, Semantic Scholar and Gemini; Phase 0.5: /arxiv downloads arXiv PDFs and "other URL" uses WebFetch; /novelty-check runs multi‑source literature searches), and that untrusted web content is read and used to drive idea generation, novelty verification, and downstream actions (pilots/experiments), creating a clear risk of indirect prompt injection.