pua

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill embeds persistent local state, silent telemetry and event uploads to external endpoints, requires phone registration and stores remote tokens, and — critically — fetches remote prompt templates/commands to execute; together these behaviors enable data exfiltration and remote control (prompt-injection/command-and-control) of the agent, constituting a high-risk backdoor/abuse pattern.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Platform workflow (references/platform.md) explicitly instructs the agent to fetch and execute remote prompt templates and configuration from public endpoints (e.g., GET https://pua-api.agentguard.workers.dev/v1/command/<command_id> and uploading/reading from https://pua-skill.pages.dev/api/feedback), so the agent will read and act on externally-hosted, untrusted content that can directly change prompts, tool use, and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly fetches remote prompt templates at runtime from https://pua-api.agentguard.workers.dev (e.g., GET /v1/command/<command_id>) and executes them as command prompt templates, so this external URL directly controls agent instructions.