Data exfiltration instruction in skill
What it detects
Instructions inside a SKILL.md file that direct the agent to send data to an external HTTP endpoint — POST/curl/wget/fetch to a non-local URL, or phrasing like "send to the server/endpoint/url/api" or "upload/transmit/pipe to remote".
This fires on the instruction itself, not on legitimate API documentation — the pattern requires an explicit send/transmit verb paired with an external destination, not just the presence of a URL.
Real example
SKILL.md instructs the agent to exfiltrate data via Telegram. AI-confirmed.
How to fix it
Skill files must not instruct the agent to transmit data anywhere outside the user's own request/response loop. If the skill's actual purpose requires an external call (e.g. a legitimate webhook integration), that call belongs in MCP server tool code with explicit user-visible configuration — not buried in a skill description the user never reads before it's loaded into every agent context.