html-pr-review

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to fetch and render raw diff hunks (inline in the HTML) and include file contents and line-level code, so any secrets present in the repository diffs would be reproduced verbatim in the artifact, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md workflow explicitly instructs the agent to fetch PR data (e.g., "get the actual hunks via git diff <base>..<head>, the GitHub URL via MCP" and "read the PR description") which requires ingesting user-generated, public GitHub/PR content that the agent will read and use to make review decisions, so untrusted third‑party content can influence subsequent actions.