external-mindstudio-gitcode-code-reviewer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks to prompt the user for a GitCode access token if not found and includes examples that embed the token directly in commands/URLs (e.g., export GITCODE_TOKEN="your-token", git clone using oauth2:${GITCODE_TOKEN}@...), which requires the LLM to accept and potentially output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests user-generated PR data from the public GitCode APIs (e.g., scripts/fetch_pr_info.py calls https://api.gitcode.com/... to retrieve PR metadata, files, diffs, and comments, and SKILL.md/README describe reading PR content and comments), so arbitrary third‑party PR text can be read and used to drive the agent's review decisions and posting actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill may perform a runtime git clone of the target repository using the URL pattern "https://oauth2:${GITCODE_TOKEN}@gitcode.com//.git", which fetches remote code that is then read and injected into the agent's review context (directly controlling prompts), and cloning is relied upon when the local workspace doesn't contain the target repo.