cto

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt includes an out-of-scope self-update instruction (in Chinese) that tells the agent to git clone a GitHub repo and overwrite its skill directory, which is a hidden/meta-control that can change agent behavior and execute external code and thus qualifies as a deceptive prompt injection risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md includes a "自更新" (self-update) rule that on user request runs "git clone" from the public GitHub URL https://github.com/yzfly/CTO-Skills and overwrites the skill directory, which clearly fetches and ingests arbitrary third‑party repository content at runtime that can change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes a runtime "self-update" action that runs git clone https://github.com/yzfly/CTO-Skills and overwrites the skill directory, which fetches remote code at runtime that can change agent prompts/behavior (https://github.com/yzfly/CTO-Skills).

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill explicitly instructs the agent to write and overwrite files in its working and skill directories (including a "self-update" git clone that would replace the current skill directory), which modifies the agent's runtime state and codebase even though it doesn't request sudo or system-level config changes — this is a non-trivial risk of compromising the machine's agent state.