supply-chain-audit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs reading secret files (e.g., /run/secrets, /flag*) and embedding their contents verbatim into outbound commands/requests (curl, nslookup), which forces the LLM to handle and output secret values directly.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This content is explicitly malicious/offensive: it provides step-by-step, actionable techniques and ready-to-use payloads for dependency confusion, package install hooks, image/tag poisoning, CI/CD pipeline injection, and multiple methods for stealthy secret/flag exfiltration (HTTP/DNS/registry/artifact), all of which enable RCE, credential theft, and supply-chain compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md and references/supply-chain-attack.md) explicitly instructs querying and parsing open public third-party sources—e.g., npmjs.org, pypi.org, Maven Central, Docker registries and arbitrary URLs via commands like "curl https://registry.npmjs.org/" or "curl -s http://registry:5000/v2/_catalog"—so the agent would fetch and act on untrusted, user-generated web content that can materially change subsequent actions.